Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Provide an official provision for tie-breaking events with the same @timestamp
See original GitHub issueDescription of the issue:
ECS doesn’t currently have an official provision for tie-breaking events with the same @tiemstamp. This means that saved queries in Kibana populated by beats and the Kibana logs app don’t have a way of doing so and end up displaying such events in the wrong order.
This is very inconvenient for log events which can often be written quite fast in succession.
ECS should have a documented official provision for this, and the relevant Kibana apps/plugins and beats pre-loaded objects should be modified to use it by default.
This can be a set of fields that are used for this by default, or a new field dedicated for it that beats and apps should generate.
Any additional context or examples:
The Kibana logs app defaults the tie-breaker field to _doc and no longer makes it settable, referring you to the ECS schema, which has no field for this, leaving you between a rock and a hard place.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I believe this is something that should be handled by default in the ECS schema, beats and Kibana apps. So that log messages and other events retain their order as much as possible.
As it currently stands, log messages/events that are written with the same time lose their order, and require you to manually do a secondary sort. This is something that is not even possible to do in the Kibana logs app, and the tie-breaking field there is fixed (Cannot be changed in the UI) to the not so useful
_docfield, citing the ECS schema. In other words, the Kibana logs app has no useful to keep the logs sorted properly.Of course, what kind of field this should be, and how it should be filled, will have to be specified, and beats, Kibana and others will have to be modified for it.
Note that based on my quick experiment to workaround this issue, even if you copy
event.sequenceto the_docfield (eg in functionbeat), the resulting sort in Kibana -> Discover is mistakenly in ascending order, not descending. So you see events sorted first by timestamp descending, then within the same timestamps in ascending sequence order.I suspect https://discuss.elastic.co/t/not-able-to-sort-data-in-kibana-ui/254102/11 is reporting this same issue.