Using Filebeat, and Logstash 7.9. Customer logfiles have timestamps in local timezone. Want to let Logstash know in which timezone filebeat lives. Am able to do that via adding:
processors:
- add_locale:
format: abbreviation
in filebeat.yml, and in logstash filter using the event.timezone via:
grok {
match => { "message" => "%{DATESTAMP:logdate} %{GREEDYDATA:jsonmess}"}
}
date {
match => ["logdate", "yy-MM-dd HH:mm:ss,SSS"]
timezone => "{{ event.timezone }}"
}
Problem is that filebeat options for the timezone format are "offset" and "abbrevation", but logstash expects only "canonical id's" ! How can i make this work ?
You can use the offset in the timezone option in the Logstash date filter.
For example, the following config will work without problems.
date {
match => ["logdate", "yy-MM-dd HH:mm:ss,SSS"]
timezone => "-03:00"
}
Also, the way you are referencing the event.timezone field is wrong, you should use %{[event][timezone} and not {{ event.timezone }}
Try to change your config to
date {
match => ["logdate", "yy-MM-dd HH:mm:ss,SSS"]
timezone => "%{[event][timezone]}"
}