Daily index rotation bug

justinw · December 17, 2018, 10:53pm

Hi,

Every now and then a few documents (less than 1% of total logs) get placed into a daily index where the 20 in 2018 is replaced by 00.

For example,

logstash-6.4.3-0018.12.08

Has anyone encountered this? Seems like a bug somewhere, since all other docs get placed fine.

Best, Justin

yaauie · December 18, 2018, 12:37am

I'm guessing that you are including a sprintf statement that relies on the value of @timestamp in your declaration of which index to insert docs into (e.g., index => "logstash-6.4.3-%{+yyyy.MM.dd}").

what does the value of @timestamp indicate?
If this is also showing years far in the past, how are you populating @timestamp (likely a date filter)?

justinw · December 18, 2018, 9:29pm

Oh nice, good call. There's a date filter on nginx logs, and for these lines the date string is something like 18-12-08T01:34:06+00:00.

Thanks @yaauie!

system · January 15, 2019, 9:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic @timestamp off by almost 3 years Elasticsearch	3	376	July 25, 2018
Logstash Output to Elasticsearch using todays date instead of @timestamp Logstash	6	2692	June 3, 2020
Timestamp changes in logstash input? Logstash	1	250	August 27, 2021
I wonder about logstash YYYY.MM.dd Logstash	10	1262	August 12, 2020
Date filter vs. accepting @timestamp as-is Logstash	3	445	January 15, 2018

Daily index rotation bug

Related topics