Wrong timestamp in kibana index

Tejas_Bhosale · September 14, 2021, 12:24pm

I get worng time data in my index in kibana there is around lot of difference in @timestamp and log_timestamp field.

grok filter which i am using

          grok {
            match => [ "message" , '%{IP:remote_addr} - - \[%{HTTPDATE:log_timestamp}\] "%{IPORHOST:http_host}" "%{WORD:request_method} %{DATA:uri} HTTP/1.1" %{NUMBER:response} %{NUMBER:bytes} (?:%{DATA:http_refer}|-) %{QS:agent} "(?:%{IPV4:upstream_addr}|-)" (?:%{NUMBER:upstream_connect_time}|-) (?:%{NUMBER:upstream_header_time}|-) (?:%{NUMBER:upstream_response_time}|-) (?:%{NUMBER:request_time}|-)' ]
            overwrite => [ "message" ]
          }
         mutate {
           convert => ["response", "integer"]
           convert => ["bytes", "integer"]
           convert => ["responsetime", "float"]
           rename => ["agent", "filebeat_agent" ]
         }
         geoip {
           source => "remote_addr"
           add_tag => [ "nginx-geoip" ]
         }
         date {
           match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
           remove_field => [ "timestamp" ]
#           target => "@timestamp"
         }
         useragent {
           source => "agent"
         }
  }
}

To push log from client i am using filebeat nginx module with some fields. See below attached image you can see time difference in index

leandrojmp · September 14, 2021, 12:34pm

Is this your full configuration pipeline?

Your date filter is trying to match the field timestamp, but your grok does not create a field called timestamp, it creates a log_timestamp.

Have you tried using log_timestamp in your date filter?

Tejas_Bhosale · September 15, 2021, 10:13am

Thanks it worked for me.
Thanks for your help

system · October 13, 2021, 10:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.