CODEWITHSUNDEEP
elasticsearchlogstashkibanakibana-4elastic-stack
unclemeat
unclemeat

Reputation: 5207

ELK most appropriate timestamp name _ or @

What is the most appropriate name for the timestamp when utilizing Logstash to parse logs into Elasticsearch, then visualizing with Kibana?

I am defining the timestamp using date in a filter:

date {
     match => [ "logtime", "yy-MM-dd HH:mm:ss" ]
}

Logstash automatically puts this into the @timestamp field. Kibana can be configured to use any correctly formatted field as the timestamp, but it seems to be correct to use _timestamp in Elasticsearch. To do that, you have to mutate and rename the datestamp field. 

mutate {
     rename => { "@timestamp" => "_timestamp" }
}

Which is slightly annoying.

This question could be entirely semantic - but is it most correct to use _timestamp, or is it just fine to use @timestamp? Are there any other considerations which should influence the naming of the timestamp field?

Upvotes: 2

Views: 1821

Answers (2)

Konstantin V. Salikhov
Konstantin V. Salikhov

Reputation: 4653

Please note that _timestamp is reserved and deprecated special field name. Actually any field names starting with underscore are reserved for elasticsearch future internal usage. AFAIK logstash documentation examples use @timestamp as field name without any renaming.

Upvotes: 3

Val
Val

Reputation: 217474

Elasticsearch allows you to define fields starting with an underscore, however, Kibana (since v4) will only show the ones declared outside of the _source document.

You should definitely keep with @timestamp which is the standard way to name the timestamp field in Logstash. Kibana will not allow you to use _timestamp.

Upvotes: 3

Related Questions