Date processor on ingest do not create a date type on elasticsearch

thuck · August 8, 2019, 3:02pm

When parsing a field on the ingest pipeline; I would expect that the field would be created as Date on elasticsearch, but what I see is that they are created as String.
I tried two different ways of parsing, below the samples:

Trying to overwrite the same time:

    {
        "date": {
            "field": "request.time",
            "ẗarget_field": "request.time",
            "formats": ["ISO8601"],
            "ignore_failure": true,
            "timezone": "UTC"
        }
    }

Creating a new field:

    {
        "date": {
            "field": "request.time",
            "ẗarget_field": "request_time",
            "formats": ["ISO8601"],
            "ignore_failure": true,
            "timezone": "UTC"
        }
    }

Am I missing something? Convert processor do not have an option for date.
The format of the date is a valid ISO8601:
"time":"2019-07-29T20:23:33.222Z"

spinscale · August 9, 2019, 5:34am

such an ISO field should be automatically mapped as a date. Can you provide a fully reproducible example as well as the elasticsearch version you are using?

Thanks!

thuck · August 9, 2019, 12:45pm

@spinscale the log comes from filebeat parsing a log from a container (running on docker); as far as I understand the

"date_detection": false

(Disable date detection in index templates by andrewkroh · Pull Request #3528 · elastic/beats · GitHub) is the default settings and I believe this is why it was not detected as a date automatically; so I tried to include the date processor to force the type to be a date.
I know that the processor works because on my second example the new field request_time is created just fine, but with the type string instead of date.
For the versions I'm using:
elasticsearch-7.1.1-1.x86_64
filebeat-7.1.1-1.x86_64

system · September 6, 2019, 12:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.