Hello every body,
I have a stand allone architecture. Logs are sent from syslog_ng server to logstash - > Elasticsearch -> kibana.
I have a probleme with the timestamp as the capture below shows
The logs are received at ELK at 2:11 AM but the timestamp show the logs receveid at 1:48 AM.
Did you have any idea about the solving of this issue?
Best regards,
Have you checked the times are the same on the sending system to logstash and then to Elasticsearch. You should also be able to add in Discover the ingest timing.. if there is a delay in ingestion and processing those documents.
Thanks zx8086 for the reply, I added a field about the ingested date.
ruby {
code => 'event.set("@created_time", Time.now.utc)'
}
The field was added in the mapping:
PUT /my-lab-*/_mapping
{
"properties": {
"@created_time": {
"type": "date"
}
}
But the field type change as shown bellow
{
"my-lab-2021.10.11-000011" : {
"mappings" : {
"@created_time" : {
"full_name" : "@created_time",
"mapping" : {
"@created_time" : {
"type" : "keyword",
"ignore_above" : 2048
}
}
}
}
},
"my-lab-2021.10.11-000010" : {
"mappings" : {
"@created_time" : {
"full_name" : "@created_time",
"mapping" : {
"@created_time" : {
"type" : "date"
}
}
}
}
}
Did you have about the correct way to add ingested.time ?
Those ingested times were part of the existing template I had, maybe if you see if they are there id you ingest via a dynamic template ?
What is strange is the time variance is not in hours, which usually is points to a Time Zone mapping issue.
Are all the nodes using the same time server to start with (and there is no time drift)?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.