Mappings for @timestamp
are as follows. I recently switched to using epoch_second:
"@timestamp": {
"format": "yyyy-MM-dd HH:mm:ss||epoch_second",
"index": true,
"ignore_malformed": false,
"store": false,
"type": "date",
"doc_values": true
},
Here's an example document:
{
"_index" : "some-index-2020.02.16-000014",
"_type" : "_doc",
"_id" : "AR7AVnABzoWS80HG3IVd",
"_score" : 0.0,
"_source" : {
"destination" : {
"geo" : {
"continent_name" : "North America",
"region_iso_code" : "US-WA",
"city_name" : "Seattle",
"country_iso_code" : "US",
"country_name" : "United States",
"region_name" : "Washington",
"location" : {
"lon" : -102.2432,
"lat" : 27.24
}
},
"as" : {
"number" : 12345,
"organization" : {
"name" : "Google, Inc."
}
},
"port" : 443,
"bytes" : 1234,
"ip" : "1.2.3.4"
},
"source" : {
"bytes" : 1234,
"ip" : "192.168.1.1"
},
"firewall" : {
"logs" : {
"rule" : "interwebz",
"url" : {
"type" : "troubleshooting"
}
}
},
"frequency" : 4,
"tags" : [
"help",
"please"
],
"network" : {
"application" : "ssl",
"bytes" : 1234,
"transport" : "tcp"
},
"observer" : {
"hostname" : "something.com"
},
"@timestamp" : 1581983940,
"event.module" : "firewall",
"related" : {
"ip" : [
"1.2.3.4",
"192.168.1.1"
]
},
"event" : {
"dataset" : "firewall.logs",
"outcome" : "permit"
}
}
}
Again, since storing the logs in epoch_second
format, none of the visualizations in the SIEM app show my logs. I do see these logs in Discover, Dashboards, and Visualizations. When I hit inspect and run the query against the console, it returns nothing (even though I definitely have logs for that time period). I get it to return my logs when I include "format": "epoch_millis"
in the queries:
Note that the Inspect tool on all the visualizations does not include this format field:
And for comparison, the Discover page Inspect includes the format with the range (albeit a different format):
Not sure if this is related to my issue or a completely separate issue altogether.