How to configure index pattern to use custom timestamp in Kibana

himaz.m · November 18, 2016, 8:13am

I'm using,

filebeat version 5.0
elasticsearch version 5.0
kibana version 5.0

I have a log file with below format

{"timestamp":"2016-11-10 06:06:11","severity":"INFO","service": "login request","trace":"1e2rexxxxxxxx","span": "1e2rexxxxxxxx","exportable":"false","pid": "10144","thread": "http-nio-9200-exec-2","class":"org.apache.http.wire","logData": "some data"}
{"timestamp":"2016-11-10 06:06:11","severity":"DEBUG","service": "order request","trace":"1e3rexxxxxxxx","span": "1e3rexxxxxxxx","exportable":"false","pid": "10144","thread": "http-nio-9200-exec-2","class":"org.apache.http.wire","logData": "some more data"}

And I have created the index as below using the curl command.

curl -XPUT http://10.44.2.48:9200/toastconnector -d '
{
"mappings" : {
"default" : {
"properties" : {
"timestamp": { "type": "date", "format": "yyyy-MM-dd HH:mm:ss" },
"severity": { "type": "string", "index": "not_analyzed" },
"service": { "type": "string", "index": "not_analyzed" },
"trace": { "type": "string", "index": "not_analyzed" },
"span": { "type": "string", "index": "not_analyzed" },
"exportable": { "type": "string", "index": "not_analyzed" },
"pid": { "type": "string", "index": "not_analyzed" },
"thread": { "type": "string", "index": "not_analyzed" },
"class": { "type": "string", "index": "not_analyzed" },
"logData": { "type": "string", "index": "not_analyzed" }
}
}
}
}
';

I have a requirement to filter/search any 'service' (e.g. login request) within a certain date and time frame and I want it to be configured in my dashboard as well. When I try to configure index pattern in Kibana with the check box 'Index contains time-based events' option enabled, I get only the default @timestamp field (which I assume shows the index created date time) on 'Time-field name', but not the timestamp field I have in my log file. How can I do configure to pick the timestamp in my log file?

tylersmalley · November 19, 2016, 2:00am

I went through the steps as you outlined and was able to successfully add the timestamp field created in the mapping.

Can you view the mapping API and ensure you have the timestamp field?

http://10.44.2.48:9200/toastconnector

himaz.m · November 19, 2016, 5:20pm

Thank you @tsmalley. Yes, It is there in the mapping (http://10.44.2.48:9200/toastconnector) and it is being indexed too (refer: below screenshot).

But my question is, can I configure my custom timestamp field to use in 'Index contains time-based events'? (Refer the below screenshot, it shows only the default '@timestamp' field)

himaz.m · November 22, 2016, 7:12am

@tsmalley I'm not sure whether you have noticed my question in the previous post, since it is in the middle of 2 inline images. So i'm posting it again.

Christian_Dahlqvist · November 22, 2016, 10:20am

Your 'timestamp' field is mapped as a string, which is why it is not available for selection as a date field in Kibana. If you want to extract the timestamp from the logs you will need to do this using either Logstash or the new ingest node functionality. As this will require you to change the mapping for that field you will need to reindex your data.

himaz.m · November 23, 2016, 9:55am

In my mapping i have mapped it to date as "timestamp": { "type": "date", "format": "yyyy-MM-dd HH:mm:ss" }, Why it is showing as string in Kibana? Any help would be appreciated.

Christian_Dahlqvist · November 23, 2016, 9:58am

Has that template been applied? What do you get if you retrieve the actual mappings for the index?

himaz.m · November 23, 2016, 10:07am

Yes, following is the template I added using template API.

{
  "mappings": {
    "_default_": {
      "_all": {
        "enabled": true,
        "norms": {
          "enabled": false
        }
      },
      "dynamic_templates" : [{
		"strings_as_keyword" : {
			"mapping" : {
				"ignore_above" : 1024,
				"index" : "not_analyzed",
				"type" : "string"
			},
			"match_mapping_type" : "string"
			}
		}],
      "properties": {
        "timestamp": { "type": "date", "format": "yyyy-MM-dd HH:mm:ss" },
        "severity": { "type": "string", "index": "not_analyzed" },
        "service": { "type": "string", "index": "not_analyzed" },
        "trace": { "type": "string", "index": "not_analyzed" },
		"span": { "type": "string", "index": "not_analyzed" },
        "exportable": { "type": "string", "index": "not_analyzed" },
		"pid": { "type": "string", "index": "not_analyzed" },
		"thread": { "type": "string", "index": "not_analyzed" },
		"class": { "type": "string", "index": "not_analyzed" },
		"logData": { "type": "string", "index": "not_analyzed" }
      }
    }
  },
  "settings": {
    "index.refresh_interval": "5s"
  },
  "template": "toastconnector-*"
}

And when I retrieve the index using http://10.44.2.48:9200/toastconnector, I get the below response.

{
	"toastconnector" : {
		"aliases" : {},
		"mappings" : {
			"_default_" : {
				"properties" : {
					"class" : {
						"type" : "keyword"
					},
					"exportable" : {
						"type" : "keyword"
					},
					"logData" : {
						"type" : "keyword"
					},
					"pid" : {
						"type" : "keyword"
					},
					"service" : {
						"type" : "keyword"
					},
					"severity" : {
						"type" : "keyword"
					},
					"span" : {
						"type" : "keyword"
					},
					"thread" : {
						"type" : "keyword"
					},
					"timestamp" : {
						"type" : "date",
						"format" : "yyyy-MM-dd HH:mm:ss"
					},
					"trace" : {
						"type" : "keyword"
					}
				}
			}
		},
		"settings" : {
			"index" : {
				"creation_date" : "1479385319679",
				"number_of_shards" : "5",
				"number_of_replicas" : "1",
				"uuid" : "2zv0hizeRjqxn89nV-lkhg",
				"version" : {
					"created" : "5000099"
				},
				"provided_name" : "toastconnector"
			}
		}
	}
}

system · December 21, 2016, 10:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.