Edited an existing query to change the EventID being searched on. When I refreshed the query, the @timestamp that used to dispay date:time-400 now just shows date:timeZ(zulu)
Does it just take NLS to change the query timestamp or is this a bug like I read in another thread?
Timestamp changes to zulu when editing a query
-
krobertson71
- Posts: 444
- Joined: Tue Feb 11, 2014 10:16 pm
Timestamp changes to zulu when editing a query
You do not have the required permissions to view the files attached to this post.
Re: Timestamp changes to zulu when editing a query
I have a test system running out latest development revision, and it is not experiencing this behavior.
I am having trouble reproducing this problem on a test box at version 2015R1.4. Can you give me some detailed instructions please?
It's likely that this bug will be fixed in our next revision, which is due to be released shortly.
I am having trouble reproducing this problem on a test box at version 2015R1.4. Can you give me some detailed instructions please?
It's likely that this bug will be fixed in our next revision, which is due to be released shortly.
-
krobertson71
- Posts: 444
- Joined: Tue Feb 11, 2014 10:16 pm
Re: Timestamp changes to zulu when editing a query
Honestly that is the best way I can describe it.
I had a saved query that searched a group of hosts for a particular eventid. Everything in the even list showed normally including timestamp with the proper -400. I went in and edited the EventID to search for and saved the query. Now when I run the query the @timestamp now longer shows -400 at the end, but Z and the time is 4 hours ahead.
Like when editing the query it starting to ignore UTC.
Maybe it just takes logstash or elastic search some time to update all the timestamps in the query.
We will see.
I had a saved query that searched a group of hosts for a particular eventid. Everything in the even list showed normally including timestamp with the proper -400. I went in and edited the EventID to search for and saved the query. Now when I run the query the @timestamp now longer shows -400 at the end, but Z and the time is 4 hours ahead.
Like when editing the query it starting to ignore UTC.
Maybe it just takes logstash or elastic search some time to update all the timestamps in the query.
We will see.
-
krobertson71
- Posts: 444
- Joined: Tue Feb 11, 2014 10:16 pm
Re: Timestamp changes to zulu when editing a query
Also out of curiosity.. where does NLS keep the user created queries in the filesystem? I would like to see one in the raw if that makes sense.
Re: Timestamp changes to zulu when editing a query
You can see the queries you have stored with the following command: curl -XGET 'http://localhost:9200/nagioslogserver/_ ... ery&pretty'Also out of curiosity.. where does NLS keep the user created queries in the filesystem?
I still cannot reproduce your problem. I would say that you should wait for our release in the next week or so - it may resolve your issue. The reason I think that is because I finished testing a bugfix similar to your issue. That bugfix will be included in the release I mentioned above.
-
krobertson71
- Posts: 444
- Joined: Tue Feb 11, 2014 10:16 pm
Re: Timestamp changes to zulu when editing a query
Thank you very much. I will wait for the update.
You can close this ticket.
You can close this ticket.