I've recently inherited an ELK instance where all indexes are mapped with @timestamp as time field. Users are complaining a lot because the meaningful timestamp is not @timestamp, but some @event_time field instead. That field is properly recognized as a time-formatted field and can be used to plot data, but the time filter in the upper right corner (Kibana 6.x by the way) is still @timestamp, due to the index pattern I guess.
As far as I know, I believe that I can change the time field by modifying the index pattern definition. So just two questions:
-Can I have a different time field per index? (different sources have different "timestamp" fields)
-If I change a time field for one index, will it be the one used in the upper right corner time filter? Or is that filter always related to @timestamp?
Kibana has so called "index patterns" - it's a piece of configuration including stuff like formatting information and also the index pattern string itself which is sent to Elasticsearch to define which data indices to query. The important piece of configuration in the index pattern saved object is the default time field - it's what's used to build the time filter part of the query based on the time picker in the top right of Kibana.
On a dashboard each panel can be tied to a different index pattern (which can have different time fields). If the dashboard loads, the time range selected in the picker from the top right is passed to each panel and each panel is doing a separate request to Elasticsearch. This means each panel is separate from the others and can use a separate time field.
So if you have different time fields in different indices, create separate index patterns in Kibana and pick different default time fields. If they are used together, each separate query will set a filter on the right time field without interfering with the other panels.
Woah Joe, that's an amazing explanation! Crystal clear!
Also, I had no idea about the "insides" of the time picker, the fact that it sends the "time" in an agnostic way that is then translated into the proper time field depending on the index is really cool.
Thanks a lot for your help, this has been really useful. I believe I can "tame" a bunch of users with this
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
