Sort by date in kibana in the visualize option

bruno_aleixo · August 11, 2020, 3:58pm

Hello
I am trying to create a visualize where it is sorted by date, I used the filter in the date logstash, but I cannot sort the crescent in the kibana visualize

Logstash

input {
    beats {
        port => "5064"
    }
}

filter {
  if [App] == "Deployment" {
    grok {
      patterns_dir => "/opt/elk/applications/logstash/config/patterns"
      match => [ "message", "^%{WORD}\:%{DATA:Domain}%{SPACE}%{WORD}\:%{HOSTNAME:Hostname}%{SPACE}%{WORD}\:%{GREEDYDATA:Deploy}%{SPACE}Data\:%{GREEDYDATA:Data}" ]
    }

   date{
      match => [ "Data", "dd/MM/yy HH-mm" ]
      locale => "en-US"
      timezone => "Brazil/East"
      target => "Data"
}
    mutate {
       remove_field => [ 'wls_timezone' , 'message', 'wls_host', 'wls_rawtime', 'wls_diagcontid' , 'tags' , "host.name" , "source" ]
       remove_tag => ["beats_input_codec_plain_applied" , "audit" , "_dateparsefailure" , "wls_audit_8_out" , "_grokparsefailure" , "source" , "host.name" ]

    }
  }

##END PIPELINE
}

output {
    elasticsearch {
        hosts => ["elk1:9200", "elk2:9200"]
        index => "wl_audit_deployment_teste-%{+YYYY.MM.dd}"
    }
}

in the date field it does not sort by increasing or decreasing the date 10/12/19 16:45 appears in the middle of the field

joshdover · August 11, 2020, 4:46pm

It looks like you need to adjust the mappings for the destination index to make Elasticsearch understand your date as a date rather than a keyword field.

Since you're using a dynamic index pattern, I'd recommend setting up an index template that will automatically apply to any new index that is created and matches the pattern.

You can read more about index templates in the Elasticsearch documentation:

If you're using Elasticsearch 7.8 or later, refer to the new composable index templates here
Otherwise, you'll want to refer to the legacy index templates

On both of these pages the first example has a date field that you can refer to.

bruno_aleixo · August 11, 2020, 6:57pm

Hi, thank you very much for your reply,
about your answer, I would change the index already created, right? wouldn't I have to put this in the logstash with a mutate filter or something?

joshdover · August 11, 2020, 7:33pm

Elasticsearch does not support changing the mapping for a field on an index that already exists. What you'll need to do is create a new index with the updated mappings and then reindex your old data into that one. (hint: there is a Reindex API that makes this simpler). You shouldn't need to change your Logstash configuration at all.

Topic		Replies	Views
Logstash Date Filter not working on Kibana Logstash	10	971	September 18, 2020
Sorting behaviour of a Date Field in Kibana Controls Option List Kibana	6	843	February 8, 2019
How sort by date/time on Kibana Discover Kibana	16	50339	May 4, 2018
Kibana - Visualize - Controls Option List - Date Sorting Kibana	1	614	April 15, 2019
How to map a date field in Logstash config file? Logstash	2	3551	April 10, 2019

Sort by date in kibana in the visualize option

Related topics