0

I have a logstash filter configuration as below:

filter{
  ...
  date {
           match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
           target => "@timestamp"
           add_field => { "debug" => "timestampMatched"}
   }
  ...
}

When it filters Apache Tomcat Server log message with date and time as:

message => [2015-12-03 16:46:49,240]

generates @timestamp field as:

"@timestamp" => "2015-12-03T21:46:49.240Z"

Which I can understand is that timestamp field generated by logstash is 5 hours ahead of time of what is present in tomcat log message.

To fix that:

I modified date section inside filter adding timezone as follows:

date {
       match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
       target => "@timestamp"
       timezone =>"EST"
       add_field => { "debug" => "timestampMatched"}
}

Which doesn't work, then I added ruby block in filter to make @timestamp field match with server log message with no luck, as follows:

ruby {
       code => "event['@timestamp'] = LogStash::Timestamp.new(Time.at(event['@timestamp'].to_i()).getlocal('-05:00'))"
}
date {
       match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
       target => "@timestamp"
       add_field => { "debug" => "timestampMatched"}
}

Any idea how can I make @timestamp field match with date and time field in server log message?

Thanks.

Arpit Aggarwal
  • 27,626
  • 16
  • 90
  • 108
  • What you're seeing is actually correct. The best practice is to **always** store timestamps in UTC (i.e. the `Z` timezone) and then let the front-end (Kibana or whatever) handle the timezone issue and display the dates in your local timezone. – Val Dec 20 '15 at 05:02
  • ok, thanks. I am using `Kibana (4.0.2)`, any idea how can I adjust `@timestamp` shown in Kibana same as in message, currently what I can see **`@timestamp in Kibana as December 21st 2015, 01:11:59.828`** whereas in message it's **`2015-12-20 14:41:59,828`** – Arpit Aggarwal Dec 20 '15 at 09:43

0 Answers0