Event.ingested huge time difference

AnkurYogi · May 22, 2023, 6:47am

Hello All,

While investigating on an event I noticed there was a huge difference between event.created and event.ingested which created a confusion on the real event time.

Later digging in docs resulted
event.ingested: timestamp when an event arrived in the central data store.
This is different from @timestamp, which is when the event originally occurred. It’s also different from event.created, which is meant to capture the first time an agent saw the event.

Now how do I prove that why elasticsearch is ingesting logs so slowly or there is something wrong with elastic agent?

Will be happy to provide all the necessary details.

Christian_Dahlqvist · May 22, 2023, 8:46am

The lag seems very, very long. Is this something you see consistently for this type of event? Which timezone are you in? Is it possible this could be a timezone issue?

AnkurYogi · May 22, 2023, 10:38am

No, it isn't time zone issue I crosschecked the NTP.

Christian_Dahlqvist · May 22, 2023, 10:42am

It could be a timezone issue based on how the timestamps are parsed even if NTP is OK.

Please answer the questions I asked.

AnkurYogi · May 22, 2023, 10:53am

I didn't noticed it eariler but checking now it looks like there is at least a time difference of 2-3 hours for every event.
Timezone:- IST.

Christian_Dahlqvist · May 22, 2023, 11:02am

How are you ingesting data? What does the flow of these events look like?

AnkurYogi · May 22, 2023, 11:06am

It's the basic architecture.
ELK and fleet on a single host nothing fancy.

system · June 19, 2023, 11:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.