Problem with indexing event their time in timestamp beginning with no zero

ddoroshenko · June 3, 2022, 2:07pm

Hi,

I have Oracle DB logs which have standard ISO8601 timestamp (yyyy-MM-ddTHH:mm:ss.SSSSSSZ).

I have date filter

filter {
  date {
    match => [ "log_timestamp", "ISO8601" ]
  }
}

But to the Elasticsearch are indexed only events between 00:00:00 and 09:59:59.
It looks like Elasticsearch "don't understand" timestamps beginning with 1 or 2.

Note:

I have the problem with the only log. The other logs using the same date filter are indexed correctly.
There are not any errors in Logstash and Elasticsearch logs

stephenb · June 6, 2022, 4:16am

Hi @ddoroshenko perhaps provide several samples of the complete timestamp you're trying to convert and what the results are.

ddoroshenko · June 6, 2022, 6:23am

Here are.
The 2022-06-05T05:46:21.358067+02:00 in log is converted to 2022-06-05T05:46:21.358 in Kibana

But something like 2022-06-05T15:46:21.358067+02:00 or 2022-06-05T23:46:21.358067+02:00 just dissappears and I don't see nothing in Kibana

ddoroshenko · June 6, 2022, 12:46pm

Well,
I had a tag collision in a pipeline so it cause the problem.

system · July 4, 2022, 12:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Why date event in Elasticsearch logs are not in UTC Elasticsearch	8	1908	April 11, 2019
Could not index event to Elasticsearch. Logstash date filter Logstash	4	394	March 10, 2020
Elasticsearch stop indexing with custom timestamp Logstash	9	1734	July 6, 2017
ISO8601 in date filter Logstash	1	1744	August 17, 2017
Logstash stops emitting events when using date filter Logstash	4	1684	July 6, 2017

Problem with indexing event their time in timestamp beginning with no zero

Related topics