[x] (optional) already reported 3rd party upstream repository or mailing list if you use k8s addon or helm charts.
Problem
Some, but not all, of our logs include the @timestamp field. When this field is present I'd expect the plugin not to overwrite it with the current time at injestion.
Steps to replicate
@type elasticsearch_data_stream
@id es_logs_output
@log_level warn
# other settings are omitted.
log_es_400_reason true
include_timestamp true # https://github.com/uken/fluent-plugin-elasticsearch#include_timestamp
hosts "#{ENV['ES_LOGS_HOSTS']}"
port 9200
user "#{ENV['ES_LOGS_USER']}"
password "#{ENV['ES_LOGS_PASSWORD']}"
data_stream_name logs-stream
data_stream_template_name cordial-logs # specifies the index template name
data_stream_ilm_name cordial-logs # specifies the ilm policy
bulk_message_request_threshold "#{ENV['BULK_MESSAGE_REQUEST_THRESHOLD']}"
request_timeout "#{ENV['ES_REQUEST_TIMEOUT']}"
retry_tag 'retry_es'
<buffer tag>
@type file
chunk_limit_size "#{ENV['ES_CHUNK_LIMIT_SIZE']}"
flush_mode interval
flush_interval 5s
flush_thread_count "#{ENV['ES_FLUSH_THREAD_COUNT']}"
retry_timeout 4h
</buffer>
</store>
Send a record with the @timestamp field. Compare the @timestamp field in elasticsearch and ensure it matches the original log record.
Expected Behavior or What you need to ask
If the record already includes the field @timestamp, do no overwrite it. Only add it if @timestamp does not already exist.
(check apply)
Problem
Some, but not all, of our logs include the
@timestamp
field. When this field is present I'd expect the plugin not to overwrite it with the current time at injestion.Steps to replicate
Send a record with the
@timestamp
field. Compare the@timestamp
field in elasticsearch and ensure it matches the original log record.Expected Behavior or What you need to ask
If the record already includes the field
@timestamp
, do no overwrite it. Only add it if@timestamp
does not already exist.Using Fluentd and ES plugin versions