Source of @timestamp field in elasticsearch

jogoinar10 · 2018-11-26 11:16:10 UTC

I have an elastic setup which consist of Beats, Logstash and Elasticsearch.

I just wanna know if what application generates the @timestamp field?

Is it generated by elasticsearch at the time it was index? or at the time that filebeat compiles the file logs?

TIA

dadoonet · 2018-11-26 12:01:51 UTC

Well. It can come from different sources:

Metricbeat for example can generate it
Logstash can extract the date from a log line with some grok/date filters. The log line can come from filebeat though.
Elasticsearch as well if you are using ingest pipelines or filebeat modules such as the nginx module

So I'd say that it depends

jogoinar10 · 2018-11-26 12:03:55 UTC

Thank you for the info. but let's say that my data came from filebeat or winlogbeat. Does the beat generates the data?

jogoinar10 · 2018-11-26 12:34:26 UTC

Thank you for the info. but let's say that my data came from filebeat or winlogbeat. Does the beat generates the data?

dadoonet · 2018-11-26 16:39:29 UTC

I did not check the details. I supposed that for winlogbeat beats generate the @timestamp field according to the event date.

For filebeat, it depends. If you are streaming whatever unknown log file ie /myapp/app.log then @timestamp is most likely the date the event has been collected by filebeat and not the event date itself.

Better to ask in #beats:filebeat to get more info on this IMO.