Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 08:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

logging/ascii/json: Make TS_MILLIS signed, add TS_MILLIS_UNSIGNED

Browse source 
It seems TS_MILLIS is specifically for Elasticsearch and starting with
Elasticsearch 8.2 epoch_millis does (again?) support negative epoch_millis,
so make Zeek produce that by default.

If this breaks a given deployment, they can switch Zeek back to TS_MILLIS_UNSIGNED.

https://discuss.elastic.co/t/migration-from-es-6-8-to-7-17-issues-with-negative-date-epoch-timestamp/335259
https://github.com/elastic/elasticsearch/pull/80208

Thanks for @timo-mue for reporting!

Closes #4494
This commit is contained in:
Arne Welzel 2025-05-30 12:30:50 +02:00
parent f16ebd34b3
commit 93813a5079
10 changed files with 78 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/logging/writers/ascii/Ascii.cc
View file

@ -363,6 +363,8 @@ bool Ascii::InitFormatter() {
tf = threading::formatter::JSON::TS_EPOCH;
else if ( strcmp(json_timestamps.c_str(), "JSON::TS_MILLIS") == 0 )
tf = threading::formatter::JSON::TS_MILLIS;
else if ( strcmp(json_timestamps.c_str(), "JSON::TS_MILLIS_UNSIGNED") == 0 )
tf = threading::formatter::JSON::TS_MILLIS_UNSIGNED;
else if ( strcmp(json_timestamps.c_str(), "JSON::TS_ISO8601") == 0 )
tf = threading::formatter::JSON::TS_ISO8601;
else {