Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ingest timestamp to pipeline #2934

Closed
dgieselaar opened this issue Nov 20, 2019 · 4 comments · Fixed by #3279
Closed

Add ingest timestamp to pipeline #2934

dgieselaar opened this issue Nov 20, 2019 · 4 comments · Fixed by #3279
Assignees
@graphaelli
Labels
low hanging fruit
Milestone
7.7

Comments

@dgieselaar
Copy link
Member

To be able to use transforms (and other post-processing pipelines), an ingest timestamp could be added to the events on ingestion:

https://www.elastic.co/guide/en/elasticsearch/reference/7.4/accessing-data-in-pipelines.html#accessing-ingest-metadata

This allows jobs to collect new documents, either for alerts, transforms or other projections of processor events. The current @timestamp references the time when the event was recorded, not when it was ingested, and is not a reliable way to sort when trying to collect new documents.

As APM Server currently adds the pipeline and the index template, it should probably handle the configuration of the ingest timestamp as well.

We should figure out how to deal with backwards compatibility. If the user is on Kibana 7.6, but on APM Server 7.1, is it possible for Kibana to add both the processor and update the mapping for the APM indices? If we add { ingest: { timestamp: { ... } } } to the mapping from Kibana, what happens when APM server overrides the template again?

cc @elastic/apm-ui
@sorenlouv
Copy link
Member

sorenlouv commented Nov 20, 2019
edited
Loading

what happens when APM server overrides the template again

APM Server doesn't overwrite the template. But if the user is on 7.4 and upgrades to 7.5 APM Server will create a new template that doesn't have the ingest mapping.

is it possible for Kibana to add both the processor and update the mapping for the APM indices

I think we should be able to do this when Kibana start up. Which would also solve the problem above (we'd require a kibana restart when APM Server is upgraded).

@graphaelli
Copy link
Member

elastic/ecs#582 introduces an event.ingested for this purpose. We can add an ingest pipeline (like elastic/beats#14001) to write this field - do we need it for every document or just transactions and errors?

@graphaelli graphaelli added this to the 7.7 milestone Dec 13, 2019
@dgieselaar
Copy link
Member Author

@graphaelli I think just transactions and errors is fine for now. I don't expect us to do any post-processing for spans and metrics any time soon (famous last words).

@graphaelli graphaelli self-assigned this Feb 4, 2020
@graphaelli graphaelli mentioned this issue Feb 4, 2020
Merged
@dgieselaar
Copy link
Member Author

dgieselaar commented Feb 5, 2020 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@graphaelli graphaelli

Labels
low hanging fruit
Projects
None yet
Milestone
7.7
Development

Successfully merging a pull request may close this issue.

add event.ingested to APM events graphaelli/apm-server
3 participants
@graphaelli @sorenlouv @dgieselaar