Default "timestamp" field does not contain time zone information

c0herent · January 25, 2022, 5:32pm

Hello All,

I am experiencing an issue where the raw “timestamp” field stored in Elasticsearch is formatted as below:

“timestamp”:“2022-01-20 16:38:50.438”

As you can see, this timestamp does not include any time zone information. The time zone actually used is UTC. According to ISO 8601/RFC 3339, if no timestamp information is included the time is assumed to be local time.

In the same log entry, Winlogbeat stores the time in a correct ISO 8601 format:

“winlogbeat_@timestamp”:“2022-01-20T16:38:50.438Z”

The Z in the entry above indicates that this is the UTC timezone, which is correct.

The fact that Graylog does not include a time zone in its default timestamp while using UTC is causing issues with integration with the Grafana Elasticsearch plugin. Since no timezone information is provided, Grafana assumes the timestamp is local time. You can see other people experiencing the same issue in this thread:

github.com/grafana/grafana

Timezone issues with v.6.6

opened 09:30PM - 02 Feb 20 UTC

closed 01:17PM - 28 Apr 20 UTC

junior466

datasource/Elasticsearch

**What happened**: Timestamps of Elasticsearch now shown in UTC **What you expected to happen**: Timestamps show in my browser/local time. **How to reproduce it (as minimally and precisely as possible)**: Visualize a query from Elasticsearch **Anything else we need to know?**: **Environment**: - Grafana version: 6.6 - Data source type & version: Influxdb 1.7.9 - OS Grafana is installed on: Ubuntu 16.04 - User OS & Browser: Safari, Firefox, Chrome (All Latest) - Grafana plugins: - Others: After upgrading to the latest version of Grafana, my Elasticsearch queries are now showing timestamps in UTC even though that wasn't the issue before. I am using Graylog and have configured the Timezone to be in my local time but Elasticsearch remains default (UTC). Here's my post at community board. [Link](https://community.grafana.com/t/timestamp-in-utc-after-v-6-6/25316) Here's my post at Graylog community board. [Link](https://community.graylog.org/t/timezone-best-practice-grafana-issues/13722) EDIT Could be related to [#20812](https://github.com/grafana/grafana/pull/20812)?

For reference, I am running Graylog 4.1.9, but I don’t think the issue is version specific. Is this behavior something that can be fixed in a patch? Is there a workaround to change the default timestamp until another fix is available?

Thanks!

gsmith · January 26, 2022, 12:00am

Hello,

You could post here if you believe this is a bug or feature request.

You could create an extractor for that specific input and use the Date converter

Or you could use a pipeline/s there are many examples in the forum about pipelines/timestamps
change.

https://community.graylog.org/search?q=pipelines%2Ctimestamp

Hope that helps

c0herent · February 8, 2022, 3:18pm

Hi @gsmith,

Thanks for the info. I will try that workaround if I run into a message that only has the default timestamp. I will also investigate whether it makes sense to file this as a bug report.

Thanks!
-Ben

c0herent · February 8, 2022, 3:34pm

Submitted bug #12104 for this:

github.com/Graylog2/graylog2-server

Default “timestamp” field does not contain time zone information

opened 03:32PM - 08 Feb 22 UTC

c0herent

bug

Graylog is storing the raw “timestamp” field in Elasticsearch as formatted below…: “timestamp”:“2022-01-20 16:38:50.438” As you can see, this timestamp does not include any time zone information. The time zone actually used is UTC. According to ISO 8601/RFC 3339, if no time zone information is included the time is assumed to be local time. https://en.wikipedia.org/wiki/ISO_8601#Time_zone_designators In the same log entry, Winlogbeat stores the time in a correct ISO 8601 format: “winlogbeat_@timestamp”:“2022-01-20T16:38:50.438Z” The Z in the entry above indicates that this is the UTC timezone, which is correct. The fact that Graylog does not include a time zone in its default timestamp while using UTC is causing issues with integration with the Grafana Elasticsearch plugin. Since no timezone information is provided, Grafana assumes the timestamp is local time. You can see other people experiencing the same issue in this thread: https://github.com/grafana/grafana/issues/21890 For reference, I am running Graylog 4.1.9, but I don’t think the issue is version specific.

gsmith · February 9, 2022, 1:59am

Nice Thanks for keeping us informed

system · February 23, 2022, 1:59am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Timezone best practice (Grafana issues) Graylog Central (peer support)	3	1141	February 16, 2020
Aggregation timestamp reverts to UTC although "timestamp" field is UTC+1 Graylog Central (peer support) time-stamp-issuespl	5	376	April 9, 2023
@timestamp field format in Graylog GUI Search doesn't show as UTC ISO8601 sent by filebeat beat Graylog Central (peer support) filebeat-linux , timestamp	9	725	May 13, 2023
Raw syslog input timezone issue Graylog Central (peer support)	10	1146	February 28, 2022
The timestamp returned by the graylog API is abnormal Graylog Central (peer support) timestamp	10	347	April 7, 2023

Default "timestamp" field does not contain time zone information

Related Topics