@timestamp is missing in Time-field name in Logstash template

111148 · March 2, 2017, 5:01pm

Hello, i am using this default template from logstash 5.2. folder in order to create it in Kibana for elastic search.

{
"template" : "logstash-",
"version" : 50001,
"settings" : {
"index.refresh_interval" : "5s"
},
"mappings" : {
"default" : {
"_all" : {"enabled" : true, "norms" : false},
"dynamic_templates" : [ {
"message_field" : {
"path_match" : "message",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text",
"norms" : false
}
}
}, {
"string_fields" : {
"match" : "",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text", "norms" : false,
"fields" : {
"keyword" : { "type": "keyword" }
}
}
}
} ],
"properties" : {
"@timestamp": { "type": "date", "include_in_all": false },
"@version": { "type": "keyword", "include_in_all": false },
"geoip" : {
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "half_float" },
"longitude" : { "type" : "half_float" }
}
}
}
}
}
}

But after it is done i can not see the @timestamp or time field on the node.

Please advise what i am doing wrong.

I have deleted old index with proper logstash template parameters accidentally and now i can not create second one. Please advise how to do it properly so as reading manuals is not rather informative for me). Thanks.

Christian_Dahlqvist · March 3, 2017, 11:17am

Do you have any index created that match that index pattern? I believe Kibana looks for mappings for indices that match the pattern, not index templates that will match once an index is created.

111148 · March 3, 2017, 11:51am

Hello Christian,
Thanks for your answer.
I was forced delete logstash and install it from scratch so as i was not able to solve this issue with recreating an index. But only managed to do it only from the 3-d attempt. Logstash can not load template successfully from time to time to Elastic.
in order to overcome this i was forced shutdown the rest 2 of 3 nodes in ELK cluster and only then i have managed to load template with existing index to Logstash. But honestly saying i still do not understand how it works and how it should work normally.

Christian_Dahlqvist · March 3, 2017, 11:52am

Is there anything in the Elasticsearch logs?

111148 · March 3, 2017, 12:04pm

Nothing suspicious except json parse errors:

Christian_Dahlqvist · March 3, 2017, 12:05pm

That seems to be from the Logstash log, not Elasticsearch.

111148 · March 3, 2017, 12:07pm

Sorry. Yes.
But i though it is related to Logstash problem so as i am now in Logstash forum.
Checking the Elastic logs.

Christian_Dahlqvist · March 3, 2017, 12:09pm

The JSON conversion issue is Logstash, but that is what you opened a separate issue about. I was wondering about logs related to the issue around creating an index.

If that is no longer an issue we can leave it.

111148 · March 3, 2017, 12:23pm

In Elastic logs i see only error about "index can not be imported"

111148 · March 6, 2017, 5:32pm

Hello,
Again facing with this issue. Looks like your default template does not work as expected in Dev tools and in CURL as well.
Could you please try on your side and check if issue is reproducible?

system · April 3, 2017, 5:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.