The @timestamp field of an index template has been set in the format of epoch_seconds.
Unfortunately the application sends the data in epoch_millis (1577983263046).
Hence the json events are stored somewhere in year 04/20/51974.
I've queried the data for results @timestamp higher than today, but I couldn't find events.
From my point of view it looks that elasticsearch skips such documents.
My question: Of course our scenario is an application issue but nevertheless I'm wondering whether there is a limitation storing documents far in the future? Is there?
No, as long as the value doesn't surpass the largest value that can stored in the underlying data structure, there is no limit on dates in the future.
This example demonstrates the behaviour. Two documents are stored, where one contains the date value as epoch_second, and the other as epoch_millis. The mapping only specifies epoch_second and also basic_date_optional_time. Only date strings in a recognized format can be searched for.
I would suggest that you adjust the mapping of your index to reflect the actual formats used in the data. You can reindex from the already existing index into a new index that has epoch_millis in the date format (default).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.