I have some logs like this:
2022-12-07 17:22:53,838 [INFO]: {"status_code": 304, "method": "GET", "url": "/backend/some/url", "remote_ip": "rem.ote.ip.add", "response_time": 101.61018371582031} - tornado.access
I use an aggregator to parse those logs into the fields timestamp, loglevel, status_code etc. and send them to my opensearch instance. The problem is that the timestamp field is of type string in opensearch, so it cannot be sorted by in the Discover page. Oddly enough, it also has a field date of type float.
I then tried creating a new index with a changed timestamp format as per this answer (second option).
The problem here is that opensearch either uses the date it received the logs as the timestamp, or it just doesn't recognize any timestamp field:
If you follow this solution, the
timestampfield type should be the date.Can you share the mapping of the index?
Can you check the index_pattern and make sure the log-9 index_pattern date is set to
timestamp