Kibana discovery display

tennaen · February 26, 2020, 7:58am

Hello,
i have a question about display in Kibana discovery, json section.
Can someone tell me why date fields are displayed twice in json? In example i have a field event_date (timezone is UTC +1).
event.event_date 2020-02 -26 @ 08:54:54.570
And there is a section "fields" that display same field but in UTC

  "fields": {
    "@timestamp": [
      "2020-02-26T07:54:54.570Z"
    ],
    "event.event_date": [
      "2020-02-26T07:54:54.570Z"
    ]
  },

mattkime · February 26, 2020, 3:45pm

Hello @tennaen

It looks like you have two different fields with the same value. How are documents being added to elasticsearch?

tennaen · February 27, 2020, 6:30am

Hello @mattkime, thank you for quick response. I'm using Logstash to read from Postgres. This is my pipeline configuration:

 input {
        jdbc {
                jdbc_driver_class => "Java::org.postgresql.Driver"
                jdbc_connection_string => "jdbc:postgresql://db_ip:5432/db_name"
                jdbc_user => "db_user"
                jdbc_password => "${db_user_pass}"
                statement => "select * from T_AUDIT_LOG_EVENT where id > :sql_last_value"
                use_column_value => true
                tracking_column => id
                tracking_column_type => "numeric"
                #clean_run => true
                schedule => "* * * * *"
                last_run_metadata_path => "/u01/data/ls_logs/uat/.logstash_jdbc_last_run"
        }
 }
 filter {
        json {
                source => "value"
                target => "event"
        }
        mutate {
                add_field => {
                        "[@metadata][event_type]" => "%{[event][event_type]}"
                }
        }
        mutate {
                lowercase => ["[@metadata][event_type]"]
        }
        date {
                timezone => "Europe/Warsaw"
                match => ["[event][event_date]", "YYYY-MM-dd HH:mm:ss.SSS", "ISO8601"]
                target => "@timestamp"
        }
 }
 output {
        elasticsearch {
                hosts => "elastic_ip:9200"
                user => elasticuser
                password => "${elasticuserpass}"
                index => "uat-focus-audit-log--%{[@metadata][event_type]}"
                #document_type => "audit-log-events"
                document_id => "%{id}"
        }
        #stdout {
        #       codec => "rubydebug"
        #}
 }

tennaen · February 28, 2020, 8:57am

I've checked pipeline output, and there are no additional fields.

tennaen · March 10, 2020, 1:34pm

Anyone has idea what can be reason for double fields in output?

Topic		Replies	Views
Dates ingested to elasticsearch are shown differently in Kibana Discover Kibana	2	419	July 1, 2020
"fields" key show date-type fields in JSON view Kibana	3	582	June 2, 2020
Kibana is showing one field value different from elasticsearch Kibana	4	345	August 6, 2018
The date field in Kibana does not match the field properly in the doucment of a index Kibana data-views	6	246	January 25, 2024
Getting different @timestamp field in kibana as a JSON document and in Table Kibana	2	2342	May 16, 2019

Kibana discovery display

Related topics