Is the order of filebeat output to es, log out of order?

mainly wants to use filebeat to output directly to es, without using logstash. Used for log crawling.

problem: after filebeat outputs the log to es, when looking at the log, it is found that the order in the log is out of order.
developers seem to have a lot of effort.
for example:

        April 12th 2018, 15:44:29.443   2018-04-12 15:44:25 871 DEBUG xxx
        April 12th 2018, 15:44:29.443   2018-04-12 15:44:25 871 DEBUG 
        April 12th 2018, 15:44:29.443   2018-04-12 15:44:25 872 INFO 
        April 12th 2018, 15:44:29.443   2018-04-12 15:44:25 869 INFO 
        April 12th 2018, 15:44:29.443   2018-04-12 15:44:25 871 DEBUG
        April 12th 2018, 15:44:29.443   2018-04-12 15:44:25 871 INFO 
        April 12th 2018, 15:44:29.443   2018-04-12 15:44:25 869 INFO  
        April 12th 2018, 15:44:29.443   2018-04-12 15:44:25 869 DEBUG 
        April 12th 2018, 15:44:29.443   2018-04-12 15:44:25 870 DEBUG

the following milliseconds are cluttered without a normal sort input to es.

ask anyone who knows more about filebeat to help answer!

Thank you!

Filebeat

Mar.02,2021

it depends on whether your log is collected from one machine or multiple machines; whether your filebeat and your es are on the same machine or belong to two machines.

as I understand it, if the ide/en/beats/filebeat/1.1/configuration-filebeat-options.html-sharp_publish_async" rel=" nofollow noreferrer "> publish_async option is not enabled in the filebeat configuration, then the output of a single filebeat instance is always in the same file order.
but if you deploy multiple filebeat, on multiple servers Because each system clock may not be exactly the same at all times (resulting in the log recording time may not be the same on each server), and transmitted through the network, there is no guarantee that the data received by es is the same as that indicated in the log.
even if there is only one filebeat instance, if it is deployed on a different server from es, it only eliminates the problem of system clock. However, network problems may still cause late logs to be received by es first.

if there is a requirement for log timing, it is best to parse the log time into es timestamp. through a logstash,

recently solved this problem. Our scenario is to output json-file in docker environment, and the log driver is nanosecond precision, but the application (such as java) is millisecond. In es, timestamp is date, which means millisecond precision. This means that even if you pass nanosecond logs to es, you will lose precision because of the data type. Our scenario is more complicated than this, because there are so many nanosecond logs in the same millisecond. If you just give it to es to sort, a tragedy will happen. After the loss of precision, the logs will be out of order.
solution:

obtain the source of the log itself through source to ensure that the log sources are not serialized with each other
retains the precision of nanosecond logs. When passed to es, nanosecond logs are saved separately as a string type timestamp using pipeline (for the reasons above)
if es finds disorder through timestamp sorting, then sort strings through this nanosecond time

the solution has been tested and has been installed

Previous: Why didn't my cPP code pass the clion compilation on the linux platform?

Next: On the question of redrawing and rearranging, how to get the rendering completed event?

Why does the type of geo_point not take effect if a field in the logstash log is set?
the architecture is simple: filebeat collects nginx logs, output to logstash logstash format and then output to elasticsearch There is nothing to say about the configuration of filebeat but to send the access.log of nginx directly to logstash ...

Filebeat logstash elk elasticsearch kibana

Feb.28,2021
How many inputs of filebeat nodes can logstash hold?
excuse me, A 4-core 8G machine with logstash, deployed on it can probably support several log input nodes of filebeat. If there is no message queue as buffer, do you have any experience in this field? similarly, how many logstash nodes can a 4-core ...

Filebeat elasticsearch logstash elk

Mar.21,2021
The filebeat6.2 version directly inputs the jar file run log to es (6.2) version, and how to modify the default index name in filebeat
how to modify the index name in the filebeat6.2 version. The default is the format "filebeat-6.2.1-2018.06.14 ". it is not possible to add "index: indexName " directly to the filebeat.yml file. ...

Filebeat

Mar.23,2021
How to configure multiple redis? to receive logs for filebeat
there are two log files a.log and b.log and two more redis An and redis B on the same machine. If you want to send two logs to two redis separately, how should I configure filebeat.yml? ...

Redis-Cluster filebeat

Apr.09,2021
Can Filebeat.config.modules specify include_lines?
all the materials seen so far are filebeat.inputs: . Only under the include_lines attribute can be used for Filter log content. Such as filebeat.inputs: - type: log ... include_lines: [ ^ERR , ^WARN ] but now I don t open filebeat.inputs...

Elk filebeat

Jun.01,2021
Can filter set dictionary matching in logstash? (similar to GeoIP)
problem description there is a requirement to get the accessed domain name IP from the log and want to match the type and Chinese name of the website in filter. the type and Chinese name of the website are stored in a database file, just like a dic...

Elk logstash elasticsearch kibana filebeat

Apr.07,2022

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1bdc4c6-312d0.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1bdc4c6-312d0.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?