-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix filebeat elasticsearch module ingest timezone #13367
Changes from all commits
78c844f
f41c6ac
01fe3b9
bae477f
61ea389
f991380
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -51,6 +51,28 @@ | |
"field": "elasticsearch.audit.sub_action", | ||
"ignore_missing": true | ||
} | ||
}, | ||
{ | ||
"date": { | ||
"field": "elasticsearch.audit.@timestamp", | ||
"target_field": "@timestamp", | ||
"formats": [ | ||
"yyyy-MM-dd'T'HH:mm:ss,SSS" | ||
], | ||
"ignore_failure": true | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Now that this processor and the next one are both acting on the same There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it's better to not add
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think @ycombinator is right, we could add this
In previous versions both processors were meant to be executed, one to parse the date, and the next one to apply the timezone. We (well, you @pragkent 🙂 ) found this approach is not correct in many cases, so now we are duplicating the date processor, first option only parses the date, and second option parses the date with a timezone if available.
Actually we are setting Said that, as we had it quite tested by both @pragkent and me, and it solves an existing issue, I'd go on with merging this change as is, and have a follow up PR to review the conditions in the pipelines we have recently changed to fix this same issue. This way we keep a common convention for this. |
||
} | ||
}, | ||
{ | ||
"date": { | ||
"if": "ctx.event.timezone != null", | ||
"field": "elasticsearch.audit.@timestamp", | ||
"target_field": "@timestamp", | ||
"formats": [ | ||
"yyyy-MM-dd'T'HH:mm:ss,SSS" | ||
], | ||
"timezone": "{{ event.timezone }}", | ||
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] | ||
} | ||
} | ||
], | ||
"on_failure": [ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this line be removed from this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, my fault, I did the merge, let me fix it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I see, I wanted to move the changelog entry 🙂