Timestamp not appearing in Kibana

Question

I'm pretty new to Kibana and just set up an instance to look at some ElasticSearch data.

I have one index in Elastic Search, which has a few fields including _timestamp. When I go to the 'Discover' tab and look at my documents, each have the _timestamp field but with a yellow warning next to the field saying "No cached mapping for this field". As a result, I can't seem to sort/filter by time.

When I try and create a new index pattern and click on "Index contains time-based events", the 'Time-field name' dropdown doesn't contain anything.

Is there something else I need to do to get Kibana to recognise the _timestamp field?

I'm using Kibana 4.0.

Answer 1

You'll need to take these quick steps first :

1. Go to Settings → Advanced.
2. Edit the metaFields and add "_timestamp". Hit save.
3. Now go back to Settings → Indices and _timestamp will be available in the drop-down list for "Time-field name".

Answer 2

In newer versions you are required to specify the date field before you send your data.

Your date field must be in a standard format such as miliseconds after Epoch (long number) or - just as suggested by MrE - in ISO8601. See more info here: https://www.elastic.co/guide/en/elasticsearch/reference/current/date.html

Again, before you send your data to the index, you must specify the mapping for this field. In python:

import requests
mapping = '{"mappings": {"your_index": {"properties": {"your_timestamp_field": { "type": "date" }}}}}'
requests.put('http://yourserver/your_index', data=mapping)
...
send_data()

Answer 3

My es version is 2.2.0

You have to the right schema. I follow the guide Eg:

 {
        "memory": INT,
        "geo.coordinates": "geo_point"
        "@timestamp": "date"
    }

If you have the @timestamp, you will see the

ps: if your schema doesn't have "date" field, do not check "Index contains time-based events