Hello,
My understanding is that the @timestamp field I see in Kibana is set when Logstash receives an event and forwards it to the Elasticsearch cluster. Is @timestamp change or modified under any other circumstances? For example, could the @timestamp be updated when there is a re-index operation or data is backed up and restored?
Thank you,
T.
It's not altered unless you specifically update it.
Hi Mark,
Could you expand on what would update the field? Do you mean that the @timestamp field would remain the same unless each event were accessed and the @timestamp updated?
I have a situation where there are a group of events with a @timestamp field that is very different from the timestamp recorded at the server in the event information. Usually there is a slight discrepancy, but in the situation I am looking at the discrepancy is quite large (over 12 hours).
Thank you,
Tom.
Yep.
I guess that really depends on how the data gets to Elasticsearch.
if you are using Logstash or the ingest API, then look at the date formatting functionality to normalise things.
Thank you for your help.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.