Problem with indexing event their time in timestamp beginning with no zero

ddoroshenko · June 3, 2022, 2:07pm

Hi,

I have Oracle DB logs which have standard ISO8601 timestamp (yyyy-MM-ddTHH:mm:ss.SSSSSSZ).

I have date filter

filter {
  date {
    match => [ "log_timestamp", "ISO8601" ]
  }
}

But to the Elasticsearch are indexed only events between 00:00:00 and 09:59:59.
It looks like Elasticsearch "don't understand" timestamps beginning with 1 or 2.

Note:

I have the problem with the only log. The other logs using the same date filter are indexed correctly.
There are not any errors in Logstash and Elasticsearch logs

stephenb · June 6, 2022, 4:16am

Hi @ddoroshenko perhaps provide several samples of the complete timestamp you're trying to convert and what the results are.

ddoroshenko · June 6, 2022, 6:23am

Here are.
The 2022-06-05T05:46:21.358067+02:00 in log is converted to 2022-06-05T05:46:21.358 in Kibana

But something like 2022-06-05T15:46:21.358067+02:00 or 2022-06-05T23:46:21.358067+02:00 just dissappears and I don't see nothing in Kibana

ddoroshenko · June 6, 2022, 12:46pm

Well,
I had a tag collision in a pipeline so it cause the problem.

system · July 4, 2022, 12:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.