Source of @timestamp field in elasticsearch

Elastic Stack Elasticsearch
1

I have an elastic setup which consist of Beats, Logstash and Elasticsearch.

I just wanna know if what application generates the @timestamp field?

Is it generated by elasticsearch at the time it was index? or at the time that filebeat compiles the file logs?

TIA :smiley:

2

Well. It can come from different sources:

  • Metricbeat for example can generate it
  • Logstash can extract the date from a log line with some grok/date filters. The log line can come from filebeat though.
  • Elasticsearch as well if you are using ingest pipelines or filebeat modules such as the nginx module

So I'd say that it depends :wink:

3

Thank you for the info. but let's say that my data came from filebeat or winlogbeat. Does the beat generates the data?

4

Thank you for the info. but let's say that my data came from filebeat or winlogbeat. Does the beat generates the data?

5

I did not check the details. I supposed that for winlogbeat beats generate the @timestamp field according to the event date.

For filebeat, it depends. If you are streaming whatever unknown log file ie /myapp/app.log then @timestamp is most likely the date the event has been collected by filebeat and not the event date itself.

Better to ask in #beats:filebeat to get more info on this IMO.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.