Source of @timestamp field in elasticsearch

jogoinar10 · November 26, 2018, 11:16am

I have an elastic setup which consist of Beats, Logstash and Elasticsearch.

I just wanna know if what application generates the @timestamp field?

Is it generated by elasticsearch at the time it was index? or at the time that filebeat compiles the file logs?

TIA

dadoonet · November 26, 2018, 12:01pm

Well. It can come from different sources:

Metricbeat for example can generate it
Logstash can extract the date from a log line with some grok/date filters. The log line can come from filebeat though.
Elasticsearch as well if you are using ingest pipelines or filebeat modules such as the nginx module

So I'd say that it depends

jogoinar10 · November 26, 2018, 12:03pm

Thank you for the info. but let's say that my data came from filebeat or winlogbeat. Does the beat generates the data?

jogoinar10 · November 26, 2018, 12:34pm

Thank you for the info. but let's say that my data came from filebeat or winlogbeat. Does the beat generates the data?

dadoonet · November 26, 2018, 4:39pm

I did not check the details. I supposed that for winlogbeat beats generate the @timestamp field according to the event date.

For filebeat, it depends. If you are streaming whatever unknown log file ie /myapp/app.log then @timestamp is most likely the date the event has been collected by filebeat and not the event date itself.

Better to ask in #beats:filebeat to get more info on this IMO.

system · December 24, 2018, 4:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.