Problem with @timestamp time in indexes

dadoonet · March 9, 2020, 5:38pm

I see.

I believe that json.keys_under_root: true writes:

{
   "@timestamp":"2020-03-06T20:18:23.894670031Z",
   "exportable":true,
   "level":"info",
   "message":"Get full report request",
   "report_uuid":"bf0f8a56-4a46-4cf1-8706-491b3607eaf3",
   "username":"_eva.vls_"
}

Then filebeat adds its metadata and writes:

{
   "@timestamp":"2020-03-06T20:18:29.973Z",
   "log":{
      "file":{
         "path":"/var/log/report-generator/report-generator.log"
      },
      "offset":14310474576
   },
   "report_uuid":"bf0f8a56-4a46-4cf1-8706-491b3607eaf3",
   "input":{
      "type":"log"
   },
   "ecs":{
      "version":"1.1.0"
   },
   "exportable":true,
   "level":"info",
   "message":"Get full report request",
   "host":{
      "name":"1ps-api"
   },
   "agent":{
      "hostname":"1ps-api",
      "id":"448f24c9-d971-4558-8651-b57f65cc4de2",
      "version":"7.4.2",
      "type":"filebeat",
      "ephemeral_id":"9bf7ff2d-3c39-4e04-8b8d-d2fe300d4f3e"
   },
   "username":"_eva.vls_"
}

So @timestamp gets overwritten.

You probably need to set overwrite_keys: true. See https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html#filebeat-input-log-config-json

Vinnyard · March 10, 2020, 6:46am

Hurray )) It's working )) Thank you very much )

system · April 7, 2020, 6:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.