Kibana "Logs" application Tiebreaker field grayed out

Elastic Stack Kibana
1

Hello,

I am trying to set up a tiebreaker field in the the Kibana "Logs" application, but it is grayed out. There is a banner showing "Deprecation Notice". I am unsure how to set that tiebreaker field now that it's deprecated. In the kibana.yml file maybe?

Please help me figure this out for Kibana 7.6.2.

Joey

2

Hello Joey, let me check with the team on that

3

You can still override these values via the config/kibana.yml settings.

4

The value that I found does not work when I add them in kibana.yml and restart:

xpack.infra.sources.default.fields.tiebreaker: 'event.sequence'

The context:tieBreakerFields value also isn't picked up in the Discover app when i set it to "event.sequence,_doc".

Is this a feature that is only fixed in version 8.0.0?

I have tried sending in multiple log events after changing the values, saving and restarting and the events are still not in order following the value of the tiebreaker field (it's a "long" number assigned to the event.sequence field).

Thank you,
Joey

5

To give you an example, I set the "context:tieBreakerFields" value in Kibana's advanced settings to "event.sequence,_doc" (That field is set by logstash and I can see it arrive in the Discoverer app).

  1. The original log would look like this:
[2020-04-17 11:16:36.874] [123] [My 1st log entry]
[2020-04-17 11:16:36.874] [456] [My 2nd log entry]
[2020-04-17 11:16:36.874] [789] [My 3rd log entry]

  1. filebeat sends the logs to Logstash

  2. Logstash does some mangling, including setting the "event.sequence" field to the value of the second set of brackets:

i.e. event.sequence => 123

  1. Logstash sends new event to Elasticsearch

  2. The Discover app shows the fields out of order, such as:

Apr 17, 2020 @ 11:16:36.874    123
Apr 17, 2020 @ 11:16:36.874    789
Apr 17, 2020 @ 11:16:36.874    456
  1. If I go into the Log apps, the log entries are also in the wrong order. To come back to my original port, the tiebreaker field in the Logs settings in grayed out, and using the value "
xpack.infra.sources.default.fields.tiebreaker: 'event.sequence'

... in kibana.yml does nothing to help.

Joey

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.