this is my problem:
before 2.0.0 elasticsearch version, elasticsearch add a field called "_timestamp" when indexing each log line..
but now, it's deprecated.
my elasticsezarch version is : 2.3.3.
how can I do the same thing ? Create a field called "indexing_ts" and move the current indexing time in it ?
I have the @timestamp field added by logstash (I call it : "parsing_ts")
but it is missing the moment when elasticsearch indexes (writes) the line log in my cluster.
I need it to calculate the lag between parsing and indexing time ...
Do u understand my demand ?
ty very much
there has been some discussion about this kind of question already in this issue. The overall suggestion there seems to be that the new Ingest node feature can be leveraged to add a field to the document when it enters the cluster. Also, there's some very recent discussion of adding something like a
_last_modified field with clearer semantics to take part of that load.
ty Christoph for your answer.
unfortunately, it means that what i expect doesn't exist in elasticsearch v2.3.3...
maybe a new field can be inserted in a future version (_last_modifed) ...
as one guy wrote in the discussion you show me, why the "_timestamp" has been deleted ?