问题现象

Logstash向ES输入的数据，总是滞后8小时… 导致0～8点的数据，都会写入前一天的logstash index…

既然总是落后8小时,自然就联想到了时区的问题,查了下果然线上使用的是UTC时间

默认的@timestamp默认的时间是UTC time

解决问题

在logstash中，将@timestamp转换

filter{
..........
    ruby {
        code => "event.set('index_day', event.get('[@timestamp]').time.localtime.strftime('%Y%m%d'))"
    }
    ##或者试试下面的
    ruby {
        code => "event['@timestamp'] = event['@timestamp'].getlocal"
    ｝
}

output {
  csv {
     path => "/var/csv_reports/%{index_day}/transaction-report.csv"
     fields => ["timestamp","tid","api","publisher","user","consumerKey","application","app_id"]
  }
}