Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: change default time key from @timestamp to @ingestionTime #14878

Closed
naseemkullah opened this issue Dec 2, 2019 · 4 comments
Closed

Proposal: change default time key from @timestamp to @ingestionTime #14878

naseemkullah opened this issue Dec 2, 2019 · 4 comments
Assignees
@faec
Labels
discuss Issue needs further discussion. Team:Integrations Label for the Integrations team

Comments

@naseemkullah
Copy link

To distinguish between event time, processing time and ingestion time, where the former two can be added by other parts of the logging pipeline (logger may add event time, log aggregator may add processing time).
@kaiyan-sheng kaiyan-sheng added discuss Issue needs further discussion. Team:Beats Team:Integrations Label for the Integrations team labels Dec 2, 2019
@urso urso assigned faec Dec 3, 2019
@urso urso removed the Team:Beats label Dec 3, 2019
@urso urso unassigned faec Dec 3, 2019
@faec
Copy link
Contributor

faec commented Dec 3, 2019

Thanks! I'm not sure what is meant by changing the "default" time key, as the intention of @timestamp is to specify the time of the original event (as closely as possible given the data source), which is usually what is wanted for an event's "time," but you're right that ingestion time is also important.

There has been work on this issue recently: elastic/ecs#582 added event.ingested to the Elastic Common Schema, and #14001 (which should be merged soon) adds beats support for it. Would those fit the use cases you have in mind?

@faec faec self-assigned this Dec 3, 2019
@naseemkullah
Copy link
Author

naseemkullah commented Dec 3, 2019
edited
Loading

Thanks for clearing up the intention of @timestamp as I was under the impression that it was the time that the document reaches Elasticsearch.

I think my confusion arose by @timestamp often being ever so slightly after the time emitted in the actually log that gets stored.

On that topic, is it possible to merge the log's value emitted by the application with @timestamp somehow?

If I understand correctly the intention of @timestamp, (which gets added by beats, is that correct?) is to be the event time.

@faec
Copy link
Contributor

faec commented Dec 3, 2019

If @timestamp doesn't match the time in the original log entry, then (aside from time zone issues and such) it probably means that the time in the log entry isn't being recognized or parsed, in which case it falls back on the time that the entry was read. This could be because the input isn't configured for the type of logs it's reading. Modules will typically handle this automatically, but if you're using a raw log input or an unsupported format then it might need configuration adjustments... you could ask in the beats discuss forums if you have a particular setup you're trying to fix :-)

@naseemkullah
Copy link
Author

Thanks, that's really insightful!
I am using json logs that are emitted in UNIX format (float type). Would they have to be in Date type? In any case I'll go see what they say in the forum. Thanks. This issue can be closed.

@faec faec closed this as completed Dec 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@faec faec

Labels
discuss Issue needs further discussion. Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@urso @andresrc @kaiyan-sheng @faec @naseemkullah