Wrong timestamp on kibana

leostereo · September 25, 2020, 12:55pm

Hi , guys.
I can not properly set time on my kibana web.
As you can see on picture bellow , timestamp on kibana and timestamp on elasticsearch returned document has a 3 hours difference.
Other:
Both , kiabana and elastic are running on same server , time is ok on this server.
I already set timezone on kibana config.
Dont know what else to do.
Thanks for your help.

btw:
Already googled about this, but can not find any usefull help.
Thanks!
Leandro.

Dzmitry · September 25, 2020, 6:34pm

Hi @leostereo,

Since changing timezone in Kibana settings did not help, what version of Elastic Stack you are using?
What is your server timezone? Is the data getting stored in ES with the correct values?
Just to double check, ES treats timestamp as UTC by default.

Regards, Dzmitry

leostereo · September 26, 2020, 2:50pm

Dear @Dzmitry.
Im running version 7.9.0.
Server time seems to be ok.
tecnetadmin@ubuntu-elk:~$ sudo dpkg-reconfigure tzdata

Current default time zone: 'America/Argentina/Mendoza'
Local time is now:      Sat Sep 26 11:03:37 -03 2020.
Universal Time is now:  Sat Sep 26 14:03:37 UTC 2020.

Here is how I build the time string to insert on elastic.

 [leo@arch ~]$ cat test.sh 
    a=$(date "+%F %T")
    b="${a/ /T}.000Z"
    echo $b
    [leo@arch ~]$ bash test.sh 
    2020-09-26T11:11:08.000Z

Data is geeting stored ok , for example using this littel script:

root@UBUNTU-SMOKE:/opt/lease_parse# cat date.sh 
#!/bin/bash

a=$(date "+%F %T")
b="${a/ /T}Z"
echo "$b"
A=1111
C=3333

curl -XPOST "http://172.30.6.113:9200/dhcp_leases/_doc/" -H 'Content-Type: application/json' -d'{"router":"lujan","current":'$A',"previous":'$C',"timestamp":"'$b'"}'

inserting a test document:

root@UBUNTU-SMOKE:/opt/lease_parse# bash date.sh 
2020-09-26T11:42:44Z
{"_index":"dhcp_leases","_type":"_doc","_id":"n8rdynQBT4bdce0nv8nQ","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":20,"_primary_term":2}root@UBUNTU-SMOKE:/opt/lease_parse#

Then I can see on kibana (discover) , last inserted register:

Sep 26, 2020 @ 08:42:44.000                                  (wrong time here)
router:
    lujan
current:
    1,111
previous:
    3,333
timestamp:
    Sep 26, 2020 @ 08:42:44.000
_id:
    n8rdynQBT4bdce0nv8nQ
_type:
    _doc
_index:
    dhcp_leases
_score:
    -

But if I look on elastic , i have:
GET dhcp_leases/_doc/n8rdynQBT4bdce0nv8nQ

wich returns:

{
  "_index" : "dhcp_leases",
  "_type" : "_doc",
  "_id" : "n8rdynQBT4bdce0nv8nQ",
  "_version" : 1,
  "_seq_no" : 20,
  "_primary_term" : 2,
  "found" : true,
  "_source" : {
    "router" : "lujan",
    "current" : 1111,
    "previous" : 3333,
    "timestamp" : "2020-09-26T11:42:44Z"                        (time is ok)
  }
}

ok thats the complete process.
Please let me know if it is clear or something else to check.
Perhaps need to change the timestamp string format ?
Thanks for your help!!

leandrojmp · September 26, 2020, 3:22pm

If you set your timezone in kibana to browser and you are running it from a machine in the UTC - 3, your time is correct in Kibana, dates stored in elasticsearch are always in UTC.

You say that this time is correct.

"timestamp" : "2020-09-26T11:42:44Z"

This is in UTC, it will show up in Kibana as 2020-09-26 08:42:44 for a browser in the UTC - 3 timezone, which seems to be your case since you are using Mendonza time in Kibana.

Looking at your example script you are setting your local time which is UTC - 3 as UTC.

I'm also on a UTC - 3 and running date in my system gives me the following timestamp:

sáb set 26 12:29:55 -03 2020

This time in UTC should be 15:29:55, that it is what should be ingested in elasticsearch.

Running your script would set this date to:

2020-09-26T12:29:55Z

This is 09:29:55 in UTC - 3.

Try to change your script to something like this:

#!/bin/bash
  
a=$(date "+%F %T")
b="${a/ /T} -3:00"
echo "$b"

It will result in the following timestamp:

2020-09-26T12:32:28 -3:00

Which contains the timezone information and elasticsearch will store as 2020-09-26T15:32:28 and show in kibana as 2020-09-26 12:32:28 for a browser in your timezone.

leostereo · September 30, 2020, 12:06pm

Thanks my friend:
This make the trick:
a=$(date -u "+%F %T")

Im wondering if is there some way to tell to elasticsearch to store data with my local timezone just to keep all simplier.
Could not find this on documentation.
Regards.
Leandro.

leandrojmp · September 30, 2020, 12:20pm

It is not possible, the dates will always be stored as UTC in elasticsearch.

leostereo · October 1, 2020, 1:35pm

ok , thanks for your words , so it makes sense to directly send timestamp in utc zone.
Thanks.

system · October 29, 2020, 1:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.