12 May
2017
12 May
'17
12:05 p.m.
Hi, On Fri, May 12, 2017 at 06:38:46AM -0400, Scot wrote:
I don't get it, I don't have that in my current ES target for syslog.
Kibana and most other frontends and maybe even libraries use the query's time to infer the index name: syslog-ng_${YEAR}.${MONTH}.${DAY} in your example. They use UTC timezone to do that. If you use localtime, like in your example (implicit) documents having 00:30 as timestamp for example will end up in the wrong index, and this will also depend on DST. When you search for them in kibana you might end up with wrong results. TL;DR: use time-zone("UTC") in your elasticsearch destination whenever you use time-based indices. Maybe we should even add that to the default SCL.