Skip to main content
Question

Time zone setting not reflected in timestamp

  • December 3, 2025
  • 2 replies
  • 22 views
Kohei1117
Forum|alt.badge.img+3

I can't add a timezone setting to the timestamp.
The part of the parser that extracts the timestamp is below.
----------
date {
match => ["eventtime1", "UNIX", "UNIX_MS"]
on_error => "not_eventtime1_valid"
}
----------

I tried the following settings:

----------
date {
match => ["eventtime1", "UNIX", "UNIX_MS"]
timezone => "Asia/Tokyo"
on_error => "not_eventtime1_valid"
}
----------

Result:
No change.


----------
date {
match => ["eventtime1", "yyyy-MM-dd HH:mm:ss"]
timezone => "Asia/Tokyo"
on_error => "not_eventtime1_valid"
}
----------

Result:
Syntax error.
The current time is stored in UNIX time in timestamp.

Is it possible to reflect the time zone setting in the above settings?

2 replies

cmmartin_google
Staff
Forum|alt.badge.img+11

Epoch timestamps are always Coordinated Universal Time (UTC), so as such are timezone independent, and there is no need (point) to specify a timezone parameter.

For the second example if `eventtime1` were in that format, that would be a suitable use of the timezone parameter:

date {
  match => ["logtime", "yyyy-MM-dd HH:mm:ss"]
  timezone => "America/New_York"
  on_error => "no_match"
}
Kohei1117
Forum|alt.badge.img+3
  • Kohei1117
  • Author
  • New Member
  • December 4, 2025

Epoch timestamps are always Coordinated Universal Time (UTC), so as such are timezone independent, and there is no need (point) to specify a timezone parameter.

For the second example if `eventtime1` were in that format, that would be a suitable use of the timezone parameter:

date {
 match => ["logtime", "yyyy-MM-dd HH:mm:ss"]
 timezone => "America/New_York"
 on_error => "no_match"
}

Thank you for your reply.
Let me explain the issue in more detail.

The following eventtime exists in the log:
eventtime= [removed by moderator] 518829

The following extracts the first 10 characters as eventtime1, and by default it is extracted in UNIX time.
-----------
if [eventtime] != "" {
#reduce epoch time from microseconds
grok {
match => {
"eventtime" => [
"(?P<eventtime1>\\d{10}).*"
]
}
on_error => "not_eventtime1"
}
if ![not_eventtime1] {
date {
match => ["eventtime1", "UNIX", "UNIX_MS"]
on_error => "not_eventtime1_valid"
}
}
-----------

Replacing the date{} part with the following will display the current UTC time as the timestamp instead of the eventtime time.
date {
match => ["eventtime1", "yyyy-MM-dd HH:mm:ss"]
on_error => "not_eventtime1_valid"
}

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.