My log is a JSON one-liner output by a Node.js application, there is a field called “time” which is GMT time.
{ "req": {}, "time":"2016-05-12T19:18:38.123Z" }
I want to keep the timestamp in GMT in Kibana. But it is not a straight forward thing as I thought. It took me couple of hours to make the timestamp work correctly using Fluentd, Elasticsearch and Kibana.
I use
in_tail and fluent-plugin-elasticsearch to parse the log and load into Elasticsearch, and I search the logs using Kibana.
Here is my fluentd config file.
<source>
@type tail
format json
read_from_head true
path <path>/debug.log
pos_file /var/run/td-agent/pos/debug.log.pos
keep_time_key true
time_key time
time_format "%FT%T.%L%z"
refresh_interval 10s
tag debug
</source>
<match debug>
@type elasticsearch
hosts my-es-server-1,my-es-server-2
logstash_format true
logstash_prefix debug
utc_index true
time_key time
time_key_format %FT%T.%L%z
</match>
keep_time_key,time_keyandtime_formatare necessary inin_tail. Because the default value oftime_keyistime, andkeep_time_keyistrue, fluentd will always parse the timestamp from your json message.- If you don’t put
keep_time_key, fieldtimewill be removed, and the timestamp will be in the timezone of the host wheretd-agentis running. - If you don’t give
time_format, the default time parser cannot parse this format because the time has milliseconds, your@timestampwill be wrong.
- If you don’t put
- in
elasticsearch- you need to put
time_key. Fluentd will copytimeto@timestamp, so@timestampwill have the exact same UTC string astime. time_key_formatwill be used to parse the time and use it to generate logstash index name whenlogstash_format=trueandutc_index=true. So the index name likedebug-2016.05.12will match the times in your log.
- you need to put
- In Kibana, you might see the timestamp is actually shown in your local timezone like ‘PDT’. You need to go to “Settings -> Advanced -> dateFormat:tz”, change the default value “Browser” to “GMT”. So that the timestamps will be all GMT times.
No comments:
Post a Comment