Tutorial · Search
Elasticsearch timestamp indexing for log pipelines
Quick answer: Map your canonical time field as
date (milliseconds) unless you ingest tracing spans needingdate_nanos. Normalize to UTC during ingest; keep event.original timezone offsets for forensics. Range queries should hit a single field — scattering timestamps across unparsed strings defeats index pruning.Mappings
PUT logs-000001
{
"mappings": {
"properties": {
"@timestamp": { "type": "date" },
"ingested_at": { "type": "date" },
"service": { "type": "keyword" }
}
}
}Ingest pipelines
Chain date processor first to parse strings, then script to clamp impossible years. Avoid applying two processors that rewrite the same field differently — order matters and failures roll documents into dead-letter indices quietly if you do not monitor pipeline error metrics.
Range query performance
GET logs-*/_search
{
"size": 0,
"query": {
"range": {
"@timestamp": { "gte": "now-1h", "lte": "now" }
}
},
"aggs": {
"per_service": { "terms": { "field": "service", "size": 20 } }
}
}ILM and retention
Index lifecycle policies delete or shrink based on rollover age, not wall-clock maintenance windows. Tie delete phase to compliance retention derived from ingest timestamp — not file arrival order — when reconstructing regulatory timelines.
| Field type | Resolution | When |
|---|---|---|
| date | Milliseconds | Default logs/metrics |
| date_nanos | Nanoseconds | Tracing merge |
| keyword (ISO string) | None (sort lexicographic) | Avoid for hot ranges |
Key takeaways
- One canonical
@timestampper document. - Watch pipelines with _ingest metrics — silent failures are common.
- Prefer epoch millis strings in bulk if generators already produce them.
- Cross-check with log analysis guide.
Written by Unix Calculator Editorial Team — Last verified May 2026.
Get the Unix Timestamp Cheatsheet
One email. Instant cheatsheet. No drip sequence.