Logstash creating directory too early

Question

I have my logstash instance create a new directory everyday to store its logs. The config file is below. It seems to create a directory (and start using it) in the evening a day early; as opposed to creating it right after midnight (when the date actually changes). I am on the West coast (UTC−08:00). I am on an OEL os.

Configuration:

input {
  udp {
    port => 6379
  }
}

filter {
  ruby {
    code => "event['@timestamp'] = event['@timestamp'].localtime('-08:00')"
    }
}

output {
  file {
    path => ["/logstash-1.4.1/logs/%{+YYYY-MM-dd}/logstash_in.txt"]
  }
  elasticsearch {
    protocol => http
  }
  stdout {
    codec => rubydebug
  }
}

My system date and time are correct:

[root@xxx]# date
Mon Jul 14 18:22:37 PDT 2014

Answer 1

For short answer, the file output path timestamp %{+YYYY-MM-dd} is refer to UTC time. That's means your directory will be create at your evening time.

For long answer, you can refer to the file output source code. The path is

path = event.sprintf(@path)

And drill down to the event.rb

t = @data["@timestamp"]
formatter = org.joda.time.format.DateTimeFormat.forPattern(key[1 .. -1])\
  .withZone(org.joda.time.DateTimeZone::UTC)
#next org.joda.time.Instant.new(t.tv_sec * 1000 + t.tv_usec / 1000).toDateTime.toString(formatter)
# Invoke a specific Instant constructor to avoid this warning in JRuby
#  > ambiguous Java methods found, using org.joda.time.Instant(long)
org.joda.time.Instant.java_class.constructor(Java::long).new_instance(
  t.tv_sec * 1000 + t.tv_usec / 1000
).to_java.toDateTime.toString(formatter)

The path paramter %{+YYYY-MM-dd} is based on the UTC time: (org.joda.time.DateTimeZone::UTC).

So, there are two solution to do what you need,

a) Modify event.rb to use your timezone, instead of UTC.

b) Create a your own day field and use that field you specific %{+YYYY-MM-dd} Here is my configuration:

filter {
    ruby {
        code => "
            ownTime = event['@timestamp'].localtime('-08:00')
            event['day'] = ownTime.strftime('%Y-%m-%d')
        "
    }
}

output {
    file {
            path => "/logstash-1.4.1/logs/%{day}/logstash_in.txt"
    }
    stdout {
            codec => "rubydebug"
    }
}

Hope this can help you.

Answer 2

If you want to convert the timezone based on the timezone's name:

filter {
  date {
    match => [ "@timestamp", "ISO8601" ]
    timezone => "America/New_York"
  }
}