Problem with indexing event their time in timestamp beginning with no zero

ddoroshenko · June 3, 2022, 2:07pm

Hi,

I have Oracle DB logs which have standard ISO8601 timestamp (yyyy-MM-ddTHH:mm:ss.SSSSSSZ).

I have date filter

filter {
  date {
    match => [ "log_timestamp", "ISO8601" ]
  }
}

But to the Elasticsearch are indexed only events between 00:00:00 and 09:59:59.
It looks like Elasticsearch "don't understand" timestamps beginning with 1 or 2.

Note:

I have the problem with the only log. The other logs using the same date filter are indexed correctly.
There are not any errors in Logstash and Elasticsearch logs

stephenb · June 6, 2022, 4:16am

Hi @ddoroshenko perhaps provide several samples of the complete timestamp you're trying to convert and what the results are.

ddoroshenko · June 6, 2022, 6:23am

Here are.
The 2022-06-05T05:46:21.358067+02:00 in log is converted to 2022-06-05T05:46:21.358 in Kibana

But something like 2022-06-05T15:46:21.358067+02:00 or 2022-06-05T23:46:21.358067+02:00 just dissappears and I don't see nothing in Kibana

ddoroshenko · June 6, 2022, 12:46pm

Well,
I had a tag collision in a pipeline so it cause the problem.

Topic		Replies	Views
Date mapping issue Logstash	16	3529	December 22, 2017
Logstash indexing all logs to the index of first log Logstash	1	322	May 27, 2019
Date-filter - Issue with setting @timestamp with the value from my log Logstash	9	828	May 2, 2019
Could not index event to Elasticsearch. Logstash date filter Logstash	3	446	February 11, 2020
Logstash date filtering and event @timestamp Logstash	3	8909	June 13, 2017

Problem with indexing event their time in timestamp beginning with no zero

Related topics