Kibana 4.1.1 unable to map timestamp which is in UNIX Epoch format

cloud_admin · August 28, 2015, 1:30pm

Hi Team,

I have recently upgraded my Kibana from 3 to 4.1.1, my nginx access logs has Epoch Time format like 1434589605.318 and kibana is not able to detect this time stamp field, hence I am not able to segregate the logs, however if I try the same access logs on kibana3 it is able to detect timestamp after I mention the filed in Time picker.

Please guide me on how to map this time stamp to index so that I can segregate the logs based on time stamp.

Thanks and Regards,
Naren.

warkolm · August 29, 2015, 10:36pm

What does the mapping in ES look like for that field?

tbragin · September 2, 2015, 3:53am

There is no change in the way Kibana 4 treats timestamps, compared to Kibana 3. Both require that your time field is mapped as a "date" in Elasticsearch.

For reference, here is a sample mapping that works:

  "@timestamp" : {
    "type" : "date",
    "format" : "strict_date_optional_time||epoch_millis"
  },

cloud_admin · September 3, 2015, 7:30pm

Thanks for your reply, my kibana4 gets logs from one ES cluster where time format is in epoch format and it is mapped to field "ts", however nothing is being displayed in indices filed

could you please guide me on where should I map the ts field so that it will populate in Indices

Thanks and Regards,
Narendra.

tbragin · September 10, 2015, 10:32pm

Could you post your mappings from ES to make sure we're talking about the same thing?

cloud_admin · September 11, 2015, 12:23pm

Hi Tanya,

Thanks for your reply, below are my mappings.

tbragin · September 11, 2015, 1:45pm

So, I don't see anything with type "date" in there -- that's what you need.

cloud_admin · September 12, 2015, 3:52pm

The Field TS is the timestamp in epoch format, in kiabna 3 I am able to mention @ts in time picker and it is able to recognise it, however in kibana4 i am not able to map it,

Is there a way to mention it in kibana4 apart from modifying it in elastic search?

derandreasberger · December 16, 2015, 3:57pm

Hello!
I've been struggling with timestamps too. The only way i found to get it to work as i wanted to, was to create a new template for timestamp mapping.
curl -XPUT 'http://YOURELASTICSEARCHSERVER:9200/_template/indexname*/' -d @elastic_template.json

content of file "elastic_template.json"
{
"template": "indexname*",
"order": 1,
"mappings" : {
"index" : {
"properties" : {
"log_date" : {
"type" : "date",
"format": "yyyy-MM-dd HH:mm:ss,SSS||yyyy-MM-dd HH:mm:ss.SSS||yyyy/MM/dd HH:mm:ss||yyyy-MM-dd||MMM dd, yyyy HH:mm:ss a"
},
"appname" : {
"type" : "string",
"index": "not_analyzed"
},
"msg_content" : {
"type" : "string"
}
}
}
}
}
}

I guess this will work for epoch_millis as well. Most important thing: Ensure elasticsearch is saving your timestamp as date, check with:
curl -XGET 'http://YOURELASTICSEARCHSERVER:9200/indexname*/_mapping?pretty'

Hope it helps!

Topic		Replies	Views
Kibana do not recognize the unix timestamp field in elasticsearch Elasticsearch	2	711	July 5, 2017
How to take EPOCH time as @timestamp Logstash	6	4174	July 6, 2017
Mapping timestamp in Kibana Elasticsearch	7	3686	March 18, 2020
Kibana Timestamp Format Kibana	4	7223	January 4, 2018
Kibana4 adding index patterns Kibana	5	1654	July 6, 2017

Kibana 4.1.1 unable to map timestamp which is in UNIX Epoch format

Related topics