I've changed my local copy of xmpp.rb input in logstash version 1.4.2 due to an annoyance with openfire XMPP server (and probably other XMPP servers).
Basically some XMPP servers resend old messages when logging into a conference chat. This can be disabled in the server but for various reasons this could not be done in my setup. This would have not been a problem if the older messages had the old timestamp from the XMPP xml. however they where all send with the current timestamp so I could not tell if these where old messages within logstash.
I add added the following line in xmpp.rb at line 60:
event["msgtimestamp"] = time
This has more strange behaviour that the old timestamp is now set in msgtimestamp but for any new (current) messages this event attribute is . However this "fix" is enough so I can filter out historical messages within logstash.
I think this is a bug and the xmpp timestamp from the xml should be used in @timestamp or at least in another event attribute like msgtimestamp.
(This issue was originally filed by @eroteme at https://github.com/elastic/logstash/issues/2064)
I've changed my local copy of xmpp.rb input in logstash version 1.4.2 due to an annoyance with openfire XMPP server (and probably other XMPP servers).
Basically some XMPP servers resend old messages when logging into a conference chat. This can be disabled in the server but for various reasons this could not be done in my setup. This would have not been a problem if the older messages had the old timestamp from the XMPP xml. however they where all send with the current timestamp so I could not tell if these where old messages within logstash.
I add added the following line in xmpp.rb at line 60:
event["msgtimestamp"] = time
This has more strange behaviour that the old timestamp is now set in msgtimestamp but for any new (current) messages this event attribute is. However this "fix" is enough so I can filter out historical messages within logstash.
I think this is a bug and the xmpp timestamp from the xml should be used in @timestamp or at least in another event attribute like msgtimestamp.
Thanks