Kibana Displays Timestamps Unintuitively #137652
Labels
Feature:FieldFormatters
impact:medium
Addressing this issue will have a medium level of impact on the quality/strength of our product.
Team:DataDiscovery
Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL.
It is my opinion that the Kibana handling of timestamps is very confusing. First I'll describe how Kibana currently handles them, then make a suggestion for what to do instead.
How Kibana currently handles timestamps:
Timestamps from log collectors are assumed to be in UTC. However, Kibana will display the times converted to the local time of the Kibana instance. The original (assumed to be UTC) timestamp can be seen in the JSON of any given document, but will be displayed in local time in table form.
The actual document matches that shown in the document’s JSON (which is always assumed to be UTC); the time shown in table form, the @timestamp field shown in table form, and the time shown in histograms all are converted to local time.
If timestamps are provided with a time zone, this will automatically be converted to UTC. Because the timestamp is converted to UTC, this means that the event.timezone field will always be either “+00:00” or null. Unlike the timestamp, this will not be converted to local time in table form. Like the timestamp, the JSON form of the document will show that if the event.timezone field exists, it will be in UTC (i.e. always “+00:00”).
(Explanation of above) To get the displayed timestamp from the original event, first the original timestamp 2020-03-01T11:02:36+10:00is converted to UTC. This is stored as the document’s timestamp; here, it would be stored in the document as"@timestamp": "2020-03-01T01:02:36.000Z". From here, the display convers the UTC timestamp to the local time; being in Central Daylight Time (UTC-05:00), this ends up with the date Feb 29, 2020 @ 19:02:36.000
Complaint
It is in now way obvious that the timestamp is being converted to local time for Kibana, but is not converted in the document itself. It is also very confusing that the event.timezone is not converted, when you would expect it to be if the timstamp itself is.
Proposal
Add in some label in at least the histogram and table showing that implies the displayed times are shown in local time but stored in UTC. This could be as simple as including the local timezone (e.g. UTC-05:00 or CDT) in the histogram time labels and in the time and @timestamp fields in table form.
I am admittedly much less certain that I have a good solution than I am in the unacceptability of the status quo.
The text was updated successfully, but these errors were encountered: