hkelley
(Hkelley)
January 13, 2019, 10:39pm
21
I’ve discovered that the messages “stuck” in the journal are the ones where I set a timestamp attribute, e.g.:
{"timestamp": 1545401448067, "host": "xyz.com", "version": "1.1", "_cs_data": "XX", "short_message": "csdatareplicator"}
The same (minus the timestamp) is indexed:
{"host": "xyz.com", "version": "1.1", "_cs_data": "XX", "short_message": "csdatareplicator"}
The Example Payload in the GELF 2.5 docs shows a timestamp field in the document.
2 Likes
konrad
(Konrad Merz)
January 14, 2019, 10:14am
22
Thank you very much!
I can reproduce that, I am a new developer and I am not sure if what is the expected behavior. But it is a bug anyway:
Either it’s supposed to work with timestamp
or it is not and the manual is wrong at the point
Could you please open an issue for that and I will see that the issue gets fixed?
1 Like
hkelley
(Hkelley)
January 14, 2019, 12:35pm
23
Thank you. Issue 5501 has been created.
1 Like
konrad
(Konrad Merz)
January 14, 2019, 4:00pm
25
As @dennis pointed out in the github issue the format of the timestamp was wrong.
A timestamp with milliseconds should be in float notation like: "timestamp":1545401488.441
or without
milliseconds like: "timestamp":1545401488
. This solves the issue.
hkelley
(Hkelley)
January 15, 2019, 1:00am
26
Thank you. Apologies for missing that. As it turns out, I had two issues:
wrong precision on my timestamp (as you pointed out)
a field in the “inner” JSON document - also called timestamp - that seemed to be conflicting with the GELF timestamp.
Once I fixed (removed) the duplicate timestamp element, all of my logs started to flow.
2 Likes
I’m very happy that you got it all sorted out!
Sorry for dropping out of the conversation all of a sudden; I’m at a SANS training all week, which is taking ALL of my time
system
(system)
Closed
January 31, 2019, 7:21pm
28
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.