Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some filebeat modules incorrectly parse timestamps #13877

Closed
9 tasks done
jsoriano opened this issue Oct 2, 2019 · 2 comments
Closed
9 tasks done

Some filebeat modules incorrectly parse timestamps #13877

jsoriano opened this issue Oct 2, 2019 · 2 comments
Assignees
@jsoriano
Labels
bug Filebeat Filebeat in progress Pull request is currently in progress. meta Team:Integrations Label for the Integrations team

Comments

@jsoriano
Copy link
Member

jsoriano commented Oct 2, 2019
edited by andresrc
Loading

There are still some filebeat modules with similar issues to the ones fixed in #13308, probably caused by #12253. Timestamps without timezone are parsed as UTC and then converted to a different timezone, what is incorrect, they should be parsed directly as the final timezone.

#13874 has been created to earlier detect unexpected changes in timestamps when non-UTC timezones are used. We could identify some modules where this seems to be still happening:
@jsoriano jsoriano added bug Filebeat Filebeat meta Team:Integrations Label for the Integrations team labels Oct 2, 2019
@jsoriano jsoriano self-assigned this Oct 2, 2019
@jsoriano jsoriano added the in progress Pull request is currently in progress. label Oct 2, 2019
This was referenced Oct 2, 2019
Closed
Merged
Merged
Merged
@atoom
Copy link

atoom commented Oct 3, 2019

Hi,

I can confirm that timezone conversion for Logstash plain logs is an issue with Filebeat 7.3.2. I checked the generated ingest pipeline and I can resolve the issue by refactoring the date processing to look the same way as the Kafka module. The fix for me was to do the following in the ingest pipeline:

  • Do not use the ISO8601 format shorthand but instead use an explicit format string (yyyy-MM-dd'T'HH:mm:ss,SSS)
  • Do not chain the two date processor but instead use the logstash.log.timestamp as source field and @timestamp as target field in both processors

Not sure if my fix is the preferred way to do it though :)

/Andreas

@jsoriano
Copy link
Member Author

jsoriano commented Oct 3, 2019

Hey @atoom, yes, this is the fix we are applying in modules with similar issues, we'll do the same in logstash.

This was referenced Oct 3, 2019
Merged
Merged
jsoriano added a commit that referenced this issue Oct 3, 2019
@jsoriano
Fix timezone parsing of logstash module ingest pipelines (#13890)
774efc2 
Use the same date format that we are using now for Elasticsearch
timestamps without timezone, that is the same format used for
timestamps in Logstash plain text logs.

Similar to #13308, related to #13877.
This was referenced Oct 4, 2019
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsoriano jsoriano

Labels
bug Filebeat Filebeat in progress Pull request is currently in progress. meta Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsoriano @andresrc @atoom