Filebeat 6.0.0-rc1: json.overwrite not working with @timestamp #5440

friesoft · 2017-10-25T15:04:49Z

Version: 6.0.0-rc1
Operating System: Red Hat 7
Steps to Reproduce:

Forwarding json messages from a log file to logstash using Filebeat does not set the @timestamp attribute correcty. The timestamps are already off on the Filebeat side (console output).
With 5.0.1 and 5.6.3 (latest GA) it is working, with 6.0.0-rc1 we get duplicate @timestamp fields.

Sample JSON to reproduce the issue:
{ "@timestamp": "2017-10-17T10:03:14.301Z", "request": "/" }

Sample Filebeat Config 5.0.1/5.6.3 (working):

filebeat.prospectors:
- input_type: log
  paths:
    - serverlogs/apache.json
  json.keys_under_root: true
  json.add_error_key: true
  json.overwrite_keys: true
  fields_under_root: true

output.console:
  pretty: true

Sample Filebeat Config 6.0.0-rc1 (not working):

filebeat.prospectors:
- prospector_type: log
  paths:
    - serverlogs/apache.json
  json.keys_under_root: true
  json.add_error_key: true
  json.overwrite_keys: true
  fields_under_root: true

output.console:
  pretty: true

Running with a 5.0.1 installation (download, untar, add serverlogs/apache.json file with sample provided above, add filebeat.json.yml with sample provided above, run):

[friedreb@pc64901 filebeat-5.0.1-linux-x86_64]$ rm -rf data/ && ./filebeat -c filebeat.json.yml
{
  "@timestamp": "2017-10-17T10:03:14.301Z",
  "beat": {
    "hostname": "pc64901",
    "name": "pc64901",
    "version": "5.0.1"
  },
  "input_type": "log",
  "offset": 61,
  "request": "/",
  "source": "serverlogs/apache.json",
  "type": "log"
}

Running with a 6.0.0-rc1 installation (download, untar, add serverlogs/apache.json file with sample provided above, add filebeat.json.yml with sample provided above, run):

[friedreb@pc64901 filebeat-6.0.0-rc1-linux-x86_64]$ ./filebeat -c filebeat.json.yml
{
  "@timestamp": "2017-10-25T07:54:57.673Z",
  "@metadata": {
  "beat": "filebeat",
  "type": "doc",
  "version": "6.0.0-rc1"
  },
  "@timestamp": "2017-10-17T10:03:14.301Z",
  "beat": {
    "name": "pc64901",
    "hostname": "pc64901",
    "version": "6.0.0-rc1"
  },
  "source": "/products/filebeat-6.0.0-rc1-linux-x86_64/serverlogs/apache.json",
  "offset": 61,
  "request": "/"
}

You can clearly see that the 6.0.0-rc1 installation contains duplicate @timestamp fields. This is resulting in wrong timestamps.

In the discuss entry on elastic.co we (@kvch) agreed that this is a bug.
https://discuss.elastic.co/t/6-0-0-rc1-json-overwrite-keys-not-working-with-timestamp/105189

The text was updated successfully, but these errors were encountered:

tsg · 2017-10-25T22:32:51Z

This was fixed in #5436, with some followups in #5437. Many thanks for reporting this issue!

This enabled duplicate key detection when we read the results in the system tests. This makes sure that if we ever have a duplicate key like in elastic#5440 we will notice. Part of elastic#5437.

* Catch duplicate keys in integration tests This enabled duplicate key detection when we read the results in the system tests. This makes sure that if we ever have a duplicate key like in #5440 we will notice. Part of #5437.

kvch added bug libbeat Pioneer Program labels Oct 25, 2017

kvch mentioned this issue Oct 25, 2017

Double @timestamp key when using the JSON decoder #5437

Closed

4 tasks

friesoft mentioned this issue Oct 25, 2017

Filebeat 6.0.0-rc1: logfiles are fully parsed on every start #5442

Closed

tsg closed this as completed Oct 25, 2017

tsg mentioned this issue Oct 26, 2017

Catch duplicate keys in integration tests #5455

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Filebeat 6.0.0-rc1: json.overwrite not working with @timestamp #5440

Filebeat 6.0.0-rc1: json.overwrite not working with @timestamp #5440

friesoft commented Oct 25, 2017

tsg commented Oct 25, 2017

Filebeat 6.0.0-rc1: json.overwrite not working with @timestamp #5440

Filebeat 6.0.0-rc1: json.overwrite not working with @timestamp #5440

Comments

friesoft commented Oct 25, 2017

tsg commented Oct 25, 2017