Kibana Index time field does not match @timestamp field

Kevin_f · July 28, 2020, 2:44pm

Hello,

Within my Kibana, I have an index showing @timestamp and another called "time".

The first issue is the field @timestamp does not match the time in Europe/London.
The second is issue is that the time field in log does not match @timestamp

This is the json document of the index:

I have tried to add both date filters in turn shown below to try and correct this but no luck.

date {
      match => ["time", "ISO8601"]
      timezone => "Europe/London"
      target => "time"
    }

Any one has come across this issue before? Thanks.

Kevin_f · July 28, 2020, 3:39pm

Okay I have fixed the first issue with the incorrrect @timestamp by using the following config:

date {
      match => ["timestamp", "ISO8601"]
      timezone => "Europe/London"
    }

Now with the second issue where the @timestamp and log time were not matching, I tried the following:

grok {
      match => ["time", "%{TIMESTAMP_ISO8601:timestamp}"]
    }
    date {
      match => ["timestamp", "ISO8601"]
    }

This resolved the 2nd issue but this produced another index field called "timestamp"

Kevin_f · July 29, 2020, 8:20pm

Solved issue with:

    grok {
      match => ["time", "%{TIMESTAMP_ISO8601:timestamp}"]
    }
    date {
      match => ["timestamp", "ISO8601"]
      remove_field => ["timestamp"]
    }

hope this helps others in the future!

system · August 26, 2020, 8:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.