Filebeat | Ordering Messages

Kryten · October 10, 2016, 9:16am

Hi,

Would appreciate any advice on how the following problem might be overcome using the available options.

We are sending logs using Filebeat and all is working well apart from the timestamp of the log message. The application producing the logs is a little imprecise (no Ms value) around the timestamps of the logs. As such we are seeing many log events with exactly the same timestamp down the second.

Eg (the timestamp is in the LogTime field):

Event 1:
"LogTime" => "2016-08-11 14:42:54",

Event 2:
"LogTime" => "2016-08-11 14:42:54",

Event 3:
"LogTime" => "2016-08-11 14:42:54",

You get the idea.

I would like to inject a unique sequence number into the document - ideally inside Filebeat itself, so that when the documents are inspected in ES it would be possible to order the events by that sequence of numbers.

The objective is to have some way to render the sequence of events in the same order they were read out of the logfile in the first place.

Would appreciate any suggestions, thanks.

ruflin · October 10, 2016, 10:41am

You could use the offset to sort on which is sent with each event.

Kryten · October 10, 2016, 5:56pm

Brilliant. Thanks @ruflin I was removing that field. Yes, that will do the trick nicely. Thank you.

system · October 31, 2016, 9:16am

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
Restore the sequence of the events Beats	10	2701	December 22, 2016
How to control the filebeat read file sequence Beats filebeat	8	4366	July 5, 2017
Ensuring order for syslog events Beats filebeat	6	529	April 4, 2019
How can filebeat confirm the logs sequence that log do not have timestamp? Beats filebeat	1	307	March 13, 2019
Filebeat is not polling the logs in the order of their time stamp Beats filebeat	15	404	April 28, 2024

Filebeat | Ordering Messages

Related Topics