Date freeze in index after rollover (only in windows) logstah 7.9.2


After a few hours reviewing configurations and creating and deleting index and creating ILM noticed an issue with the logstash 7.9.2 windows version, that freezes date fields in new index when doing rollover.
Let me put you into context, we have a logstash 7.9.2 on a windows server, to read application logs and to feed a al index into an elastic (7.9.1) index with some date fields. This Index has a ILM and in Kibana a few timeseries Dashboards using the date in the index as reference.
At start everything is fine and visualize correctly the data in the dashboards, but as soon as the index is rolledover and starts reading from the new one, the date fields in the index freeze (checked the fisical log and date is fine) and in consequence dashboards fail in visualization.
This has been "fixed" by changing logstash version to 6.1.
Also this not happen when the logstash (7.9.2) is on a linux server

Not sure if this is the channel to report this issue, if this is so, please let me know how to report it

Index mapping: (partial)

  "gi-inbo-connection-manager-000054" : {
    "aliases" : {
      "gi-inbo-connection-manager-alias" : {
        "is_write_index" : false
    "mappings" : {
        "rqTimestamp" : {
          "type" : "date",
          "format" : "epoch_millis"
        "rqTimestampTrace" : {
          "type" : "date",
          "format" : "yyyy-MM-dd HH:mm:ss"

Logstash config:

input {
        file {
           path => "C:/XX/XX/XX/XX/logKibana.log"
           start_position => beginning
		   sincedb_path => "NUL"

filter {
      json {
        source => "message"

output {
        stdout { codec => rubydebug}
           elasticsearch {
             hosts => ["XXXX.XXX.XX.XX:9200"]
              index => "gi-inbo-connection-manager-alias"


What do you mean by this?

Say that whe have an index with rqTimestamp that logs an incoming request timestamp field in index gi-inbo-connection-manager-000001. When it's rolled over to gi-inbo-connection-manager-000002 the rqTimestamp freezes in the last timestamp recorded in gi-inbo-connection-manager-000001, for all new documents. It does not show the real timestamp that is in the log (double check the phisical log for the date to be OK).
Stangerlly this only happens when logstash 7.9.2 version is running on windows server. Lower version workes fine or on linux works fine also

I cannot imagine what could be causing that.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.