I am sending logs from Jenkins to ELK. Because of the jade timestamp and not having enough precision to nano or milli seconds , I have introduced a sequence number against every line of log that enters logstash . Even after introducing the sequence number , the problem persists. If the logs are not in sequence in Kibana , its misleading to the users.
How are you assigning the sequence number? If done in a filter it is possible the logs are not processed in order. I believe Filebeat provides an offset value that you can use to order data within a file, so I would recommend using that over the Logstash file input plugin.
Offset is the number of bytes read. If I sort by offset , the sequence will not be maintained. I tried doing that as I can see a filed by name "offset" in kibana.
I am using input filter , and ruby code to introduce the sequence number to every line of log. As can be seen below , the sequence starts from 100 and increases by one to every line of log , it encounters.
The offset will give you the order although not sequential values. I am not sure if the ordering of events is guaranteed once you get to the filter stage so you may need to implement a custom codec.
Thanks for responding back . Glad to know about the issue with V7. Even though I am not using V7 , if the order is not maintained , its misleading. There must be a fix for this.
Right now I have reduced 'pipeline.batch.size' to 1 . After this the order is maintained in Kibana , how ever only time will tell how effective a solution this is . I have not changed the default pipeline workers , which is 1 by default. I am not able to figure out how to use '-w 1'. my ELK version is 6.3.2
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
