FAQ: How do time zones work in LogScale?

LogScale is capable of handling most situations that involve time zones. Two details to keep in mind when using time zones:

  • Everything internal to LogScale uses Coordinated Universal Time (UTC).

  • UI logs are displayed relative to your browser's local time zone, i.e. UTC is converted to your local time.

LogScale also leverages different time-related fields in various ways:

  • @rawstring generally includes some type of timestamp, e.g. a syslog header.

  • @timestamp is the time field used for everything by default. This is in UTC.

    • If the parser is able to obtain a time from the @rawstring field, then the time is converted to UTC and stored in the @timestamp field. This leverages the time zone specified in the logs.

    • If the time zone isn't specified in the log, i.e. the time is stated but doesn't include a time zone, then UTC time is assumed by default. This can cause events to appear in the future, for example an event taking place in GMT-5 will be logged 5 hours ahead.

  • The @ingesttimestamp field denotes the time the event was ingested by LogScale, and uses UTC.

  • If a timestamp can't be found, then the data in the @timestamp field sets the @ingesttimestamp field.

  • The @timestamp.nanos field denotes the nanoseconds that are sometimes included in certain timestamps.

  • The @timezone field contains the assumed time zone parsed from the logs.

Timestamps are handled by the parser assigned to the ingest token. These are primarily the findTimestamp function and the parseTimestamp function. The findTimestamp function is generally the easiest function to use, but it also assumes the event has a correct timestamp. The parseTimestamp function allows you to be extremely specific about your data's time format and time zone.

For example, let's say you have logs that were being sent over in Eastern Standard Time, but the logs didn't include a time zone: 

parseTimestamp("MMM [ ]d HH:mm:ss", field=@timestamp, timezone="America/NewYork")

The query parses the @timestamp field in the stated format, and assumes the stated time zone (America/New York). For future reference, default parsers also contain several examples.