How can I get the default `@timestamp` on elastic output?

steve.malenfant

``` { "create": { "_index":".ds-interfaces-sensors-ptx-2023.03.22-000001","_id":"5bltTMx3nTh6pWRi","status":400,"error": { "type":"mapper_parsing_exception","reason":"failed to parse","caused_by": { "type":"illegal_argument_exception","reason":"_id must be unset or set to [0QfN01UBNYDT2wsqAAABhwrKl7A] but was [5bltTMx3nTh6pWRi] because [.ds-interfaces-sensors-ptx-2023.03.22-000001] is in time_series mode" } } } },```

steve.malenfant

https://www.elastic.co/guide/en/elasticsearch//reference/master/tsds.html#differences-from-regular-data-stream

steve.malenfant

I'm not sure why the worker didn't get those error messages

steve.malenfant

That was from a capture on the wire

Harry Gardner

Based on the docs. > For TSDS documents, the document `_id` is a hash of the document's dimensions and `@timestamp`;. A TSDS doesn't support custom document `_id` values The `_id` currently being set is `random(16)` . However, it is possible to override this by adding `__id` to the event. Logic looks like this: ```const _id = event.__id ?? random(16);```

azerbe

It might need to be unset though. Is that possible?

Harry Gardner

Unfortunately this happens in formatting of data before it hits the wire.

steve.malenfant

_id should not be set. it is automatically generated by elastic on ingest.

steve.malenfant

It would only be useful to "update" documents and NEVER used for metrics

azerbe

<@U0410L186KS&gt; Can you try stripping _id out using an elastic ingest pipeline? In the interim?

steve.malenfant

I could do that.

Harry Gardner

_id is required in other situations, which is why it's provided by default. Looks like we need an option to omit _id. I'll open a ticket.

steve.malenfant

When in data stream, disable.

steve.malenfant

You will run against issues with read-only index, etc...

steve.malenfant

It should be user option to create _id in the pipeline

steve.malenfant

From Logstash documentation:

steve.malenfant

Removed the _id using ingest pipeline. That works.

Harry Gardner

Cool, glad there is a work around! Created ticket: `CRIBL-16300` to address this in an upcoming release.

steve.malenfant

Argg.. now I got data in the future!

steve.malenfant

Only 1 document made it. Something isn't working.

steve.malenfant

That's the document I set manually. Not working :slightly_smiling_face:

steve.malenfant

Documentation problem maybe regarding "ingest pipeline". I used the field "Elastic pipeline" but that didn't work. I had to use the "extra parameters".

steve.malenfant

Not working:

steve.malenfant

Working:

azerbe

I had problems with an older version of Cribl with the pipeline, it wasn't being put in the correct place in the url that was constructed for the API call

steve.malenfant

After adding the extra parameter, I see this: `POST /_bulk?pipeline=remove_id HTTP/1.1`

azerbe

What do you see when it is specified in the Elastic pipeline field?

steve.malenfant

Just `_bulk`

azerbe

I feel a bug report coming on....

steve.malenfant

Was just looking at this with somebody else. The problem is that it needs to be "quoted"