So the thing is I have filebeat that ship the log file to logstash then to the elasticsearch cluster. And I created the data view the get the messages on the discover page. I wonder where this @timestamp field comes from? Is the time elasticsearch received the message? or the time logstash received the message? or filebeat scanned the message?
Thanks
Hey @LongKang_Fan - Take a look at this answer. I believe it's still relevant.
In your case assuming you are just using logstash as a passthrough the timestamp comes from filebeat per the description above.
If you want to use the timestamp that is within your message field you can do that with some processing.
@timestamp is from LS, they explained how is generated.
I assume you are confused why you have time difference. If you like to update @timestamp to correct value-from a log, you have to parse the message, extract date from the begging, 2nd field is IP of something, etc.
So, you need grok or dissect to split the message in the fields.
After that convert 1. field to date format and overwrite @timestamp. This is how you will have @timestamp from the log file.
date {
match => [ "timestamp", "MMM d HH:mm:ss.SSS", "MMM dd HH:mm:ss.SSS" ]
timezone => "Asia/Dubai" # optionally
target=> "@timestamp" # this is default
}
Hi @rios, Actually if he is using Filebeat -> Logstash -> Elasticsearch the @timestamp is from Filebeat
But I agree ... the user probably wants to use the timestamp from withing the message as you showed, then the @timestamp will most accurately match the data in the log.
Hi @stephenb
The reason I am doing this is I want to find a way to show the logs in the Kibana in order. So I am thinking it could help if the @timestamp comes from Filebeat since Filebeat reads the file line by line.
I wonder if the @timestamp comes from Filebeat, then the message shown on the Kibana should be ordered if I sort by @timestamp
So I have created a file named b.log and this is its content:
2023-03-03 10:06:19,855 192.168.0.1 fbloggs Protocol problem: connection reset 0
2023-03-03 10:06:19,856 192.168.0.1 fbloggs Protocol problem: connection reset 1
.......
.......
.......
2023-03-03 10:06:19,892 192.168.0.1 fbloggs Protocol problem: connection reset 196
2023-03-03 10:06:19,892 192.168.0.1 fbloggs Protocol problem: connection reset 197
2023-03-03 10:06:19,892 192.168.0.1 fbloggs Protocol problem: connection reset 198
2023-03-03 10:06:19,892 192.168.0.1 fbloggs Protocol problem: connection reset 199
And I use Filebeat -> Logstash -> Elasticsearch then gets the output but unordered.
Did you set the number of workers to 1 ? Logstash per default will process filters and outputs in parallel and does not guarantee event order.
You need to set pipeline.workers to 1 in your pipelines.yml for the pipeline you want to keep the order.
But even doing this, I'm not sure that the order is guaranteed in Kibana since you may have events with the same @timestamp value and they may be shown out of order.
Hi @leandrojmp
I did not set the workers to 1. I remembered that it will affect the performance if set to 1?
But even doing this, I'm not sure that the order is guaranteed in Kibana since you may have events with the same
@timestampvalue and they may be shown out of order.
I did not release the fact the messages will be out of order if the @timestamp values are the same! This is actually the reason and explains my previous post's issues. 
But how should I guarantee the order? Or, this is not recommended to do in Elasticsearch?
Yes, it could affect the performance, the processing will be done by 1 worker only and sequentially, not in parallel.
It really depends on your data, you would need to be able to have another field to sort on, for example, you could parse your message and put the value after connection reset on a field and sort using this field as well.
For elastic it makes no difference, it really depends on your data and what you want to do with it.
Hi @leandrojmp
Thanks! This really helps me a lot and makes me more clear!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
