We are using the Elastic Stack with version 5.5. Until now, I managed to solve every issue, but this one got me good.
When our devices produce more than one event per millisecond, Kibana wont show the events in the correct order.
Time synchronisation between the devices is another topic, but atleast the order of events from one device should be preservered.
It is the old problem of multiple events per Timestamp (precision of milliseconds, accuracy of ~16ms, we are using .NET..).
Most solutions I found used a sequence number, which will increase with every incoming event. But the plugins (eg https://github.com/apenvern/logstash-filter-sequence) wont save the sequence number. Meaning after a restart, the first event would be saved with the sequence number 0, loosing all benefits of an unique id.
I tried to save the number in a file, but wasnt successfull, as there is little to none documentation.
How did you solve this?
This could also be solved, if Kibana could sort the events per Timestamp only. So that it will first sort the elements per timestamp and afterwards, if there is more than one event per timestamp, sort those by the sequence number. A restart meaning a new sequence number wouldnt matter in that case.
I found the option:sort parameter in the advanced settings, but couldnt decide, whether it could do that and how.
As this should be a very common issue, the solution is propably very easy to archieve, but I wasnt able to find any detailed guide.