Date type has not enough precision for the logging use case. #10005
Comments
|
I know Joda's got a precision limit (the Instant class is millisecond precision) and a year limit ("year must be in the range [-292275054,292278993]"). I'm open to helping explore solutions in this area. |
|
What about consequences to field_date size? even with docvalues in place, cardinality will be ridiculously high. Even for those scenarios which need this, this could be an overkill, no? |
|
Couldn't you just store the decimal part of the second in a secondary field (as a float or long) and sort by these two fields when needed? You could still aggregate based on the standard date field but not at a microsecond resolution. |
|
I've been speaking to a few networking firms lately and it's dawned on me that microsecond level is going to be critical for IDS/network analytics. |
|
Another request from the community - https://discuss.elastic.co/t/increase-the-resolution-of-elastic-timestamps-to-nanoseconds/24227 |
|
that last request is mine I believe. I would add that to monitor networking (and other) activities in our field, nanosecond support is paramount. |
|
👍 for this feature |
|
What about switching from Joda Time to date4j? It supports higher-precision timestamps compared to Joda and supposedly the performance is better as well. |
|
Before looking on the technical side, is BSD License compatible with Apache2 license? |
|
So BSD is compatible with Apache2. |
|
I'd like to hear @jpountz's thoughts on this comment #10005 (comment) about high cardinality with regards to index size and performance. I could imagine adding a We would need to move away from Joda, but I wouldn't be in favour of replacing Joda with a different dependency. Instead, we have this issue discussing replacing Joda with Java.time #12829 |
|
@clintongormley It's hard to predict because it depends so much on the data so I ran an experiment for an application that ingests 1M messages at a 2000 messages per second per shard rate.
Millisecond precision is much more space-efficient, in particular because with 2k docs per second, several messages are in the same millisecond, but even if we go with 1M messages at a rate of 200 messages per second so that sharing the same millisecond is much more unlikely, there are still significant differences between millisecond and microsecond precision.
That said, these numbers are for a single field, the overall difference would be much lower if you include Regarding performance, it should be pretty similar. |
|
From what users have told me, by far the most important reason for storing microseconds is for the sorting of results. it make no sense to aggregate on buckets smaller than a millisecond. This can be achieved very efficiently with the two-field approach: one for the date (in milliseconds) and one for the microseconds. The microseconds field would not need to be indexed (unless you really need to run a range query with finer precision than one millisecond), so all that would be required is doc_values. Microseconds can have a maximum of 1,000 values, so doc_values for this field would require just 12 bits per document. For the above example, that would be only an extra 11kB. A logstash filter could make adding the separate microsecond field easy. |
|
Meh - there aren't 1000 bits in a byte. /me hangs his head in shame. It would require 1,500kB |
|
If we want to use the ELK framework proper analyzing network latency we really need nanosecond resolution. Are there any firm plans/roadmap to change the timestamps? |
|
Let's say I index the following JSON document with nanosecond precision timestamps: So the internal date representation will be, But if I issue a query matching that document, and ask for either the Or is there a requirement that internal date manipulations in ES need such nanosecond precision? I am imagining that if one has records with nanosecond precision, only being able to query for a date range with millisecond precision could potentially result in more document matches than wanted. Is that the major concern? |
|
I think the latter, internal date manipulations need probably nanosecond precision. Reason is that when monitoring latency on 10Gb networks we get pcap records (or packets directly from the switch via UDP) which include multiple fields with nanosecond timestamps in the record. We like to find out the difference between the different timestamps in order to optimize our network/software and find correlations. In order to do this we like to zoom in on every single record and not aggregate records. |
|
👍 for solving this. It is causing major issues for us now in our logging infrastructure. |
|
@pfennema @abierbaum What problems are you having that can't be solved with the two-field solution? |
|
What we like to have is that we have a timescale in the display (Kibana) where we can zoom in on the individual measurements which have a timestamp with nanosecond resolution. A record in our case has multiple fields (NICTimestamp, TransactionTimestamp, etc) which we like to correlate with each other on an individual basis hence not aggregated. We need to see where spikes occur to optimize our environment. If we can have on the x-axis the time in micro/nanosecond resolution we should be able to zoom in on individual measurements. |
|
@clintongormley Our use case is using ELK to analyze logs from the backend processes in our application. The place we noticed it was postgresql logs. With the current ELK code base, even though the logs coming from the database server have the commands in order, once they end up elastic search and are visualized in kibana the order of items happening on the same millisecond are lost. We can add a secondary sequence number field, but that doesn't work well in Kibana queries (since you can't sort on multiple fields) and causes quite a bit of confusion on the team because they just expect the data in Kibana to be sorted in the same order as it came in from postgresql and logstash. |
|
We have the same problem as @abierbaum described. When events happen on the same millisecond the order of the messages is lost. |
|
You don't need to increase the timestamp accuracy: instead, the time sorting should be based on both timestamp and ID: message IDs are monotonically increasing, and specifically, they are monotonically increasing for a set of messages with the same timestamp... |
|
Our use case is that we ingest logs kubernetes => fluentd (0.14) => elasticsearch, and logs that are emitted rapidly (anything under a millisecond apart, which is easily done) obviously have no way of being kept in that order when displayed in kibana. |
|
Same issue, we are tracking events that happen within nanosec precision. Is there any plan to increase it? |
|
Yes, but we need to move from Joda to Java.time in order to do so. See #27330 |
|
I opened bug in Logback as its core interface also preserves data in millisecond resolution so precision is lost even earlier, before ES: https://jira.qos.ch/browse/LOGBACK-1374 It seems that historical |
|
Same use case, using kubernetes filebeat elasticsearch stack for log collection, but not having nano second precision is leading to incorrect ordering of logs. |
|
Seems like we need to consider the collectors providing a monotonically increasing counter which records the order in which the logs were collected. Nanosecond precision does not necessarily solve the problem because time resolution might not be nanosecond. |
|
Seriously guys ? This bug is almost 3 years old... |
|
The problem is also that if you try to find a workaround you run into a series of other bugs so there is not even a viable acceptable workaround:
So the only viable workaround seems to be to have an epoch + 2 additional digits which are increased in logstash when the timestamp matches. Does anyone have found a better approach? |
|
Been storing microseconds since epoch in an number field for 2 years now. |
|
cc @elastic/es-search-aggs |
|
Not all time data is collected using commodity hardware. There is plenty of specialty equipment that collects nanosecond resolution data. Thinking about other applications besides log analysis. Sorting by time is critical, but aggregations over small timeframes is also important. For example, maybe I just want to aggregate some scientific data over a one second window or even over millisecond window. I have nanosecond resolution data and would love to be able to use ES aggregations to analyze it. |
|
Elasticsearch 7.0 will include a |
|
https://jira.qos.ch/browse/LOGBACK-1374 added It is in 1.3.0-alpha12. I'll expect to see usage in new appenders. |
At present, the 'date' type is millisecond precision. For many log use cases, higher precision time is valuable - microsecond, nanosecond, etc.
The biggest impact of this is during sorting of search results. If you sort chronologically, newest-first, by a date field, documents with the same date will probably be sorted incorrectly (because they match). This is often reported by users seeing events "out of order" when they have the same timestamp. Specific example being sorting by date and seeing events in newest-first order, unless there is a tie, in which case oldest-first (or first-written?) appears. This causes a bit of confusion for the ELK use case.
Related: logstash-plugins/logstash-filter-date#8
I don't have any firm proposals, but I have two different implementation ideas:
now-1hor doing date_histogram, etc)datetype have configurable precision, with the default (backwards compatible) precision being milliseconds. This would let us choose, for example, nanosecond precision for the logging use case, and year precision for an archaeological use case (billions of years ago, or something). Benefit here is date histogram and other date-related features could still work. Further, having the precision configurable would allow us to keep the underlying data structure a 64bit long and users could choose their most appropriate precision.The text was updated successfully, but these errors were encountered: