Wrong timestamp in Kibana

John_06 · July 12, 2017, 11:35pm

I have the following configuration:

Filebeat -> Kafka -> Logstash -> ES

In logstash.conf I assign value of variable logTimestamp to @timestamp:

grok {
  match => {"message" => "(?<logTime>[0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3})"}
}
ruby {
  code => 'event.set("currentDate", Time.now.getlocal("-05:00").strftime("%Y.%m.%d"))'
}
ruby {
  code => 'event.set("logTimestamp", event.get("currentDate") + " " + event.get("logTime"))'
}
date {
  match => ["logTimestamp", "YYYY.MM.dd HH:mm:ss,SS"]
}

So the field values of logTimestamp and @timestamp should be the same. But in Kibana I can see they are different:
:

This is what Logstash logs show:

"logTimestamp" => "2017.07.12 00:59:24,578",
  "@timestamp" => 2017-07-12T22:06:22.463Z,

It's also unclear what timestamp value is assigned to @timestamp.
Could anybody explain why that happened?

John_06 · July 13, 2017, 4:21am

Found the typo: extra S should be added to match => ["logTimestamp", "YYYY.MM.dd HH:mm:ss,SS"]

tatdat · July 13, 2017, 8:42am

@timestamp -> time when log write to ES ( localtime)
logTimestamp -> time of log, it's generated by program .... Sometime, logTimestamp is time in GMT.

i think that :). i hope it'll useful with you

system · August 10, 2017, 8:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.