Need update on tiebreaker fields for Kibana logs (event.sequence ?)

cotjoey · May 18, 2021, 1:42pm

Good morning,

Following up from another post I made a while ago, I want to know if in version 7.10.0 of Kibana, the event.sequence field is used automatically by the Kibana Logs application to sort the events that have the same @timestamp precision?

From what I understand, that field is part of the ECS (Event Fields | Elastic Common Schema (ECS) Reference [1.9] | Elastic) and its description seems to do what I need ("...to make the exact ordering of events unambiguous, regardless of the timestamp precision." But I am not sure if the Kibana Logs application, when streaming or when filtering, is leveraging it to sort the events it is showing in the UI.

The documentation is not clear, and there seems to be more people not finding answers than there is that have (i.e. Provide an official provision for tie-breaking events with the same @timestamp · Issue #1064 · elastic/ecs · GitHub).

Thank you for any guidance you can provide on the tiebreaker field.

Joey

Kerry · May 24, 2021, 10:45am

Hi @cotjoey,

We don't use the event.sequence field for tiebreaking.

By default we use the _doc field. In older versions of Kibana this was configurable, but this is no longer the case.

cotjoey · May 25, 2021, 4:23pm

Hello @Kerry ,

Since the _doc field is used for tiebreaking, how can I find the value of that field? When I use Discover in Kibana, there is no _doc fields either in the Table view or JSON view of a document.

Are those _doc field values incremented in a way that if multiple of the same timestamps end up in an index, it will sort them chronologically as per the value of _doc ?

Thanks,
Joey

system · June 22, 2021, 4:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.