Hello everyone,
I am regularly ingesting a pair of events with the same timestamp. If they are shown in the incorrect order, it's very confusing for the user.
Used versions are logstash-7.9.1 , kibana-7.9.1 and elasticsearch-7.9.1.
I added this ruby-code in the logstash-config, which succesfully adds a seq - number.
Now my question is how I can use the tiebreaking mechanism to control which events are show first. I played with Stack Managment -> Advanced Settings -> context:tieBreakerFields. I tried "_doc" , "_doc, seq" , "seq, _doc " but to no avail. A kibana restart was performed after every change.
Getting the ordering right in the logs-feature from x-pack would be nice too, but since the settings is labled "Discover" I think it is easier to get it working there.
Hi and welcome to our community!
So the context:tieBreakerFields is just used by the functionality of Discover that shows you documents in context, you can access it here:
after manually sorting by seq, it works👍
If the exact ordering is required, using the view surrounding feature seems usefull.
I am happy with this solution, thank you!
Still wondering wether someone has found a solution for the same problem in the X-pack - logs application. I tried the suggestions from this thread.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
