timestamp field is not working in elasticsearch

Question

timestamp field is not working in elasticsearch

sohel2020 opened this issue 3 years ago · 5 comments

sohel2020 commented 3 years ago

Elasticsearch version: 6.8.0
configuration:

  - name: "elasticsearch"
    elasticsearch:
      hosts:
      - http://localhost:9200
      index: kube-events
      indexFormat: "kube-events-{2006-01-02}"
      layout:
        message: "{{ .Message }}"
        reason: "{{ .Reason }}"
        type: "{{ .Type }}"
        count: "{{ .Count }}"
        kind: "{{ .InvolvedObject.Kind }}"
        name: "{{ .InvolvedObject.Name }}"
        namespace: "{{ .Namespace }}"
        component: "{{ .Source.Component }}"
        host: "{{ .Source.Host }}"
        labels: "{{ toJson .InvolvedObject.Labels}}"

Answer 1 · 2021-06-01T07:16:57.000Z

when I'm using layout then it's not working. without layout it is working. with layout it's not sending the following fields

    "fields":{
        "firstTimestamp":[
            "2021-06-01T07:06:05.000Z"
        ],
        "metadata.creationTimestamp":[
            "2021-06-01T07:06:05.000Z"
        ],
        "lastTimestamp":[
            "2021-06-01T07:06:05.000Z"
        ],
        "metadata.managedFields.time":[
            "2021-06-01T07:06:05.000Z"
        ]
    }

Answer 2 · 2021-06-08T14:37:54.000Z

I'm having similar issue, but a bit different. When I don't specify layout, the fields eventtime, firsttimestamp, lasttimestamp is correctly put into the documents. However, many events get filtered, which I don't know why.

Answer 3 · 2021-06-08T14:39:01.000Z

How I came to know some events are filtered, is that if I only specify field as below,

      layout:
        message: "{{ .Message }}"
        reason: "{{ .Reason }}"
        type: "{{ .Type }}"
        count: "{{ .Count }}"
        kind: "{{ .InvolvedObject.Kind }}"
        name: "{{ .InvolvedObject.Name }}"

I get much more events.

Answer 4 · 2021-06-16T21:25:22.000Z

It might be related to labels and annotations having dots, please see the latest update with DeDot functionality.

Answer 5 · 2021-08-27T08:32:00.000Z

when I'm using layout then it's not working. without layout it is working. with layout it's not sending the following fields

    "fields":{
        "firstTimestamp":[
            "2021-06-01T07:06:05.000Z"
        ],
        "metadata.creationTimestamp":[
            "2021-06-01T07:06:05.000Z"
        ],
        "lastTimestamp":[
            "2021-06-01T07:06:05.000Z"
        ],
        "metadata.managedFields.time":[
            "2021-06-01T07:06:05.000Z"
        ]
    }

Yes it's works when you don't use layout because the event is directly send to sink and the format of time fields are in ISO8601 format like this "2021-06-01T07:06:05.000Z" and it works with elasticsearch as date.
But when you use the layout the go struct change the format send for the date like this "2017-08-31 00:00:00 +0000 UTC". It's not recognized as a date by elasticsearch who set this as a string.