Date fields not being treated as timestamp fields in Kibana index patterns

abhinav_chourasia · January 25, 2022, 7:03am

I have been trying to get the mapping correct for my date values in my documents. I have come down to doing a lot of hit and trial now with it. Every time and no matter what option I try, I am not getting the date field in my document treated as a timestamp column while creating Kibana index patterns.

Here are the various options I have tried (hit and trial because I feel like a total noob with ELK ) with my index mappings:

trial 1:

{
    "mappings" : {
        "properties" : {
                 "Created" : {
          "type" : "date",
          "fields" : {
            "keyword" : {
              "type" : "keyword"
            }
          },
          "format": "strict_date_optional_time||epoch_millis"
        },
        "Due date" : {
          "type" : "date",
          "fields" : {
            "keyword" : {
              "type" : "keyword"
            }
          },
          "format": "strict_date_optional_time||epoch_millis"
        },
        "Updated" : {
          "type" : "date",
          "fields" : {
            "keyword" : {
              "type" : "keyword"
            }
          },
          "format": "strict_date_optional_time||epoch_millis"
        }
      }
    }
}

trial 2

    {
    "mappings" : {
        "properties" : {
                 "Created" : {
          "type" : "date",
          "fields" : {
            "keyword" : {
              "type" : "keyword"
            }
          }          
        },
        "Due date" : {
          "type" : "date",
          "fields" : {
            "keyword" : {
              "type" : "keyword"
            }
          }
        },
        "Updated" : {
          "type" : "date",
          "fields" : {
            "keyword" : {
              "type" : "keyword"
            }
          }
        }
      }
    }
}

trial 3

    {
    "mappings" : {
        "properties" : {
                 "Created" : {
          "type" : "date",
          "fields" : {
            "keyword" : {
              "type" : "date"
            }
          }          
        },
        "Due date" : {
          "type" : "date",
          "fields" : {
            "keyword" : {
              "type" : "date"
            }
          }
        },
        "Updated" : {
          "type" : "date",
          "fields" : {
            "keyword" : {
              "type" : "date"
            }
          }
        }
      }
    }
}

And then each of the trials above with the below :

    "_default_": {
  "_timestamp": {
    "enabled": true,
    "store": true,
    "_field_names": "_timestamp"
  }
},

and then each of the

  "fields" : {
    "keyword" : {
      "type" : "date"
    }

specified with the format again explicitly with each of the above combinations.
and that’s how my sample document looks like (different trials)

trial doc 1

{ "Created": "15/11/21 13:21",
  "Updated": "30/12/21 14:30",
  "Due date": null
}

tried doc 2

{ 
  "Created": 1636982460000,
  "Updated": 1640874600000,
  "Due date": null
}

and none of the above combinations seems to make the needed fields as a timestamp field while creating the index patterns in Kibana, (Elasticsearch & Kibana 7.15)

I am sure there is a lot to learn here. Could someone please guide in the right direction? Lest I end up writing an automation for generating the various combinations (and ofcourse that would be brainless & for sure not lead to any good )

tsullivan · January 25, 2022, 8:16pm

Have you tried without using multi-fields?

Add an index template that will match the indices with your data:

PUT /_index_template/abhinavlogs-dev
{
  "index_patterns": [ "abhinavlogs-*" ],
  "template": {
    "mappings": {
      "properties": {
        "Created": { "type": "date" },
        "Updated": { "type": "date" },
        "DueDate": { "type": "date" } # Note: do not put spaces in the field name.
      }
    }
  }
}

Index data into the matching index:

POST /abhinavlogs-001/_doc
{
  "Created": "2022-01-25T20:02:13Z",
  "Updated": "2022-01-25T20:02:13Z",
  "DueDate": null
}

Check the mapping of the index

GET /abhinavlogs-001/_mapping

I haven't tried using multi-fields for the date fields, but if you start with this, maybe you can work up to what you really need.

tsullivan · January 25, 2022, 8:17pm

BTW, you don't need to have spaces in the field name. You can put a custom label on the field to make it show up with a space in Kibana:

system · February 22, 2022, 8:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Date not correctly detected/mapped Kibana	4	2572	September 28, 2017
Fields with date type not showing up in time-field drop down in Kibana Kibana	9	9264	July 6, 2017
Documents not getting indexed with custom timestamp Logstash	1	325	October 23, 2018
Kibana ML Kibana elastic-stack-machine-learning	10	422	December 31, 2018
Kibana field is date, not string Kibana	3	424	October 16, 2018

Date fields not being treated as timestamp fields in Kibana index patterns

Related Topics