Hello,
I am on Graylog 2.5.1 (but same issue on 2.4.6).
All my servers/admin user are configured to use Europe/Brussels (GMT +1).
I have a GELF input which sends in data with the ‘timestamp’ field in UTC (as it should). The server based ‘Timestamp’ (with a capital) shows a correct localized timestamp of when the message came in.
When I query in the corresponding stream using e.g. ‘last five minutes’ there is no result, but if I use 2 hours I get results.
Checking the query shows that the query is passed in without any timezone info, but uses localized time and is not translated to UTC. Btw, it’s not logical the filter cannot be visualized if no results are found …
{
“from”: 0,
“size”: 150,
“query”: {
“bool”: {
“must”: {
“match_all”: {}
},
“filter”: {
“bool”: {
“must”: [
{
“range”: {
“timestamp”: {
“from”: “2019-01-08 17:13:33.632”,
“to”: “2019-01-08 19:13:33.632”,
“include_lower”: true,
“include_upper”: true
}
}
},
{
“query_string”: {
“query”: “streams:5c34f00bc889fd031fe8917a”
}
}
]
}
}
}
},
“sort”: [
{
“timestamp”: {
“order”: “desc”
}
}
]
}
This seems to me to be incorrect as the server cannot deduce how to convert the filter range to UTC and compare it to the timestamp field (which is correctly stored as UTC). Instead it just interprets this AS UTC and then compares it, which is wrong …
I think the server-side should be able to handle any time comparisons, regardless of which time zone and I have no reason to believe this is not so. However, the UI should send in queries in UTC or with a timezone so this can be achieved.
I hope my assesment is correct, if not I appreciate any pointers to a consistent solution (I have read most of the posts about timezones!).
Yves