BestHub
Sign in
Databases 5 min read

How to Accurately Track Document Write Time in Elasticsearch – 3 Practical Methods

Elasticsearch does not store a built‑in write timestamp, so to trace when a document was indexed you must add the field during ingest, using either an Ingest Pipeline, Logstash/Beats configuration, or application‑side code, with guidance on advantages, caveats, and handling historical data.

Mingyi World Elasticsearch
Mingyi World Elasticsearch
Mingyi World Elasticsearch
How to Accurately Track Document Write Time in Elasticsearch – 3 Practical Methods

Why Elasticsearch Lacks a Built‑In Write‑Time Field

Elasticsearch is a near‑real‑time search engine that generates an _id and version number for each document, but it does not automatically add a timestamp. To trace when a document was written, a timestamp must be added explicitly during the ingest stage.

Three Implementation Options Compared

Option 1: Ingest Pipeline (standard production solution, highly recommended)

Elasticsearch provides built‑in ingest nodes that can modify documents before indexing. A pipeline can be created to set a field (e.g., _source.create_time) to the ingest timestamp {{_ingest.timestamp}}. The pipeline is then referenced when indexing documents.

PUT _ingest/pipeline/add_timestamp
{
  "description": "Add write time field",
  "processors": [
    {
      "set": {
        "field": "_source.create_time",
        "value": "{{_ingest.timestamp}}"
      }
    }
  ]
}

PUT my-index/_doc/1?pipeline=add_timestamp
{
  "title": "Test document"
}

GET my-index/_search

Pros: No code changes required, centralized control, millisecond precision.

Note: Use a field name such as create_time to avoid confusion with the internal @timestamp field.

Option 2: Logstash/Beats Ingestion (source‑side solution)

When data is shipped via Logstash, a filter can add a write_time field that copies the event’s @timestamp value.

filter {
  mutate {
    add_field => { "write_time" => "%{[@timestamp]}" }
  }
}

Applicable Scenarios: Log data, messages consumed from queues such as Kafka.

Option 3: Application‑Side Timestamp (hard‑coded in code)

Clients in Java, Go, Python, etc., can manually add a timestamp field when constructing the document, e.g., create_time: new Date().

Cons: Strong dependency on business code; many applications may forget to add the field, leading to inconsistent timestamps.

Tracing Write Time for Historical Data

For existing documents that were indexed before any of the above solutions were applied, the write time cannot be recovered unless the upstream source already carried a timestamp (e.g., MySQL, Kafka) or external audit tools such as ES Auditbeat are used.

Upstream data sources that embed timestamps.

Log or audit plugins (e.g., ES Auditbeat) to assist in locating the time.

Conclusion

Immediate implementation: create and activate the chosen pipeline.

Long‑term plan: enforce a unified pipeline or index template that pre‑defines the timestamp field for all indices.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

ElasticsearchmetadatatimestampLogstashBeatsIngest Pipelinedata indexing
Mingyi World Elasticsearch
Written by

Mingyi World Elasticsearch

The leading WeChat public account for Elasticsearch fundamentals, advanced topics, and hands‑on practice. Join us to dive deep into the ELK Stack (Elasticsearch, Logstash, Kibana, Beats).

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment