Kibana discovery display

tennaen · February 26, 2020, 7:58am

Hello,
i have a question about display in Kibana discovery, json section.
Can someone tell me why date fields are displayed twice in json? In example i have a field event_date (timezone is UTC +1).
event.event_date 2020-02 -26 @ 08:54:54.570
And there is a section "fields" that display same field but in UTC

  "fields": {
    "@timestamp": [
      "2020-02-26T07:54:54.570Z"
    ],
    "event.event_date": [
      "2020-02-26T07:54:54.570Z"
    ]
  },

mattkime · February 26, 2020, 3:45pm

Hello @tennaen

It looks like you have two different fields with the same value. How are documents being added to elasticsearch?

tennaen · February 27, 2020, 6:30am

Hello @mattkime, thank you for quick response. I'm using Logstash to read from Postgres. This is my pipeline configuration:

 input {
        jdbc {
                jdbc_driver_class => "Java::org.postgresql.Driver"
                jdbc_connection_string => "jdbc:postgresql://db_ip:5432/db_name"
                jdbc_user => "db_user"
                jdbc_password => "${db_user_pass}"
                statement => "select * from T_AUDIT_LOG_EVENT where id > :sql_last_value"
                use_column_value => true
                tracking_column => id
                tracking_column_type => "numeric"
                #clean_run => true
                schedule => "* * * * *"
                last_run_metadata_path => "/u01/data/ls_logs/uat/.logstash_jdbc_last_run"
        }
 }
 filter {
        json {
                source => "value"
                target => "event"
        }
        mutate {
                add_field => {
                        "[@metadata][event_type]" => "%{[event][event_type]}"
                }
        }
        mutate {
                lowercase => ["[@metadata][event_type]"]
        }
        date {
                timezone => "Europe/Warsaw"
                match => ["[event][event_date]", "YYYY-MM-dd HH:mm:ss.SSS", "ISO8601"]
                target => "@timestamp"
        }
 }
 output {
        elasticsearch {
                hosts => "elastic_ip:9200"
                user => elasticuser
                password => "${elasticuserpass}"
                index => "uat-focus-audit-log--%{[@metadata][event_type]}"
                #document_type => "audit-log-events"
                document_id => "%{id}"
        }
        #stdout {
        #       codec => "rubydebug"
        #}
 }

tennaen · February 28, 2020, 8:57am

I've checked pipeline output, and there are no additional fields.

tennaen · March 10, 2020, 1:34pm

Anyone has idea what can be reason for double fields in output?

system · April 7, 2020, 1:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.