Convert timestamp timezone in Logstash for output index name

Question

In my scenario, the \"timestamp\" of the syslog lines Logstash receives is in UTC and we use the event \"timestamp\" in the Elasticsearch output:

output {
           


        

Answer 1

In version 1.5.0, we can convert timestamp by local timezone for the index name. Here is my configuration:

filter {
    ruby {
        code => "event['index_day'] = event.timestamp.time.localtime.strftime('%Y.%m.%d')"
    }
}
output {
    elasticsearch {
        host => localhost
        index => "thrall-%{index_day}"
    }
}