Functionbeat not using timestamp from CloudWatch logEvent

sparrowt · May 30, 2019, 2:20pm

The CloudwatchLogs transformer in functionbeat (see here) is using time.Now() for the Timestamp field (ends up as @timestamp in Elasticsearch) rather than extracting the 'timestamp' field from the CloudWatch event, which is there alongside the 'message'.

This means the @timestamp in Elasticsearch is a variable number of seconds later than the actual time the log line was sent to CloudWatch, which is not helpful.

Is there any reason the code in the TODO cannot be uncommented?

Timestamp: time.Now(), // TODO: time.Unix(logEvent.Timestamp, 0),

As per the contributing guidelines I am asking here before filing an issue in GitHub.

Many thanks.

kvch · June 3, 2019, 8:05am

Please file an issue on GH. Thank you for reporting it and following the guidelines.

sparrowt · June 4, 2019, 10:12am

Thank you, filed here: https://github.com/elastic/beats/issues/12412

system · June 25, 2019, 12:20am

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[FunctionBeat] Timestamp Issue when collecting logs from cloudwatch Beats functionbeat	1	413	March 4, 2020
Timestamp field not populating correctly Beats functionbeat	2	436	May 5, 2019
How to parse functionbeat cloudwatch logs Beats functionbeat	1	400	October 30, 2020
Not seeing cloudwatch streamed logs via functionbeat in elasticsearch Kibana	2	355	August 14, 2020
@timestamp kibana and log time are differents Elasticsearch	3	5685	May 21, 2019

Functionbeat not using timestamp from CloudWatch logEvent

Related topics