[release-6.5]LOG-8697:Use event.lastTimestamp instead of metadata.creationTimestamp for Kubernetes#3244
Open
vparfonov wants to merge 1 commit intoopenshift:release-6.5from
Open
[release-6.5]LOG-8697:Use event.lastTimestamp instead of metadata.creationTimestamp for Kubernetes#3244vparfonov wants to merge 1 commit intoopenshift:release-6.5from
vparfonov wants to merge 1 commit intoopenshift:release-6.5from
Conversation
…ernetes event logs EventRouter updates existing Event objects instead of creating new ones. The original metadata.creationTimestamp may therefore be days/weeks old while lastTimestamp reflects the most recent occurrence. Using creationTimestamp caused Loki (others sinks possibly) to reject records with "greater_than_max_sample_age". Use lastTimestamp for @timestamp and timestamp fields so event updates are ingested with the correct time. The fallback chain is: lastTimestamp -> firstTimestamp -> eventTime -> creationTimestamp
Contributor
Author
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: vparfonov The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Review Summary by QodoUse event.lastTimestamp for Kubernetes event log timestamps
WalkthroughsDescription• Use event.lastTimestamp instead of metadata.creationTimestamp for Kubernetes event logs • Implement timestamp fallback chain: lastTimestamp → firstTimestamp → eventTime → creationTimestamp • Set both @timestamp and timestamp fields with correct event time • Add Loki output support and timestamp validation tests Diagramflowchart LR
A["EventRouter Events"] -->|"Extract timestamp"| B["Timestamp Fallback Chain"]
B -->|"lastTimestamp available"| C["Use lastTimestamp"]
B -->|"lastTimestamp null/empty"| D["Try firstTimestamp"]
D -->|"firstTimestamp null/empty"| E["Try eventTime"]
E -->|"eventTime null/empty"| F["Use creationTimestamp"]
C --> G["Set @timestamp and timestamp fields"]
D --> G
E --> G
F --> G
G -->|"Prevent Loki rejection"| H["Correct log ingestion"]
File Changes1. internal/generator/vector/filter/openshift/viaq/v1/normalize.go
|
Code Review by Qodo
1. Null timestamp clobbers time
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
+22
to
+33
| ts = ._internal.kubernetes.event.lastTimestamp | ||
| if ts == null || ts == "" || ts == "0001-01-01T00:00:00Z" { | ||
| ts = ._internal.kubernetes.event.firstTimestamp | ||
| } | ||
| if ts == null || ts == "" || ts == "0001-01-01T00:00:00Z" { | ||
| ts = ._internal.kubernetes.event.eventTime | ||
| } | ||
| if ts == null || ts == "" { | ||
| ts = ._internal.kubernetes.event.metadata.creationTimestamp | ||
| } | ||
| ._internal."@timestamp" = ts | ||
| ._internal.timestamp = ts |
There was a problem hiding this comment.
1. Null timestamp clobbers time 🐞 Bug ≡ Correctness
The EventRouter timestamp selection unconditionally assigns ._internal.timestamp = ts even when all candidate event timestamp fields are null/empty, which can erase the original CRI/source timestamp and emit records with null/zero @timestamp/timestamp. This can break downstream time-based indexing/sorting and violates the prior behavior where the CRI timestamp would have remained intact if the event lacked timestamps.
Agent Prompt
### Issue description
EventRouter timestamp fallback assigns `._internal.timestamp = ts` even when `ts` remains `null`/empty after checking `lastTimestamp`, `firstTimestamp`, `eventTime`, and `metadata.creationTimestamp`. This can overwrite the original container log timestamp (from the kubernetes_logs source) and lead to output records with missing/zero `@timestamp` and `timestamp`.
### Issue Context
The Vector pipeline ultimately sets root `.timestamp` and `.@timestamp` from `._internal.timestamp`, so clobbering it with null propagates to all sinks.
### Fix Focus Areas
- internal/generator/vector/filter/openshift/viaq/v1/normalize.go[19-33]
- internal/generator/vector/conf/complex.toml[722-736]
- internal/generator/vector/conf/complex_http_receiver.toml[760-774]
- internal/generator/vector/conf/container.toml[313-327]
### Suggested change
After the fallback chain, add a final safeguard:
- If `ts` is still `null`/""/"0001-01-01T00:00:00Z", fall back to the pre-existing `._internal.timestamp` (the CRI/source timestamp) or `now()`.
- Only override `._internal.timestamp` (and any related fields) when `ts` is valid.
Example VRL pattern:
```vrl
# ...existing fallback chain...
if ts == null || ts == "" || ts == "0001-01-01T00:00:00Z" {
ts = ._internal.timestamp
}
if ts != null && ts != "" && ts != "0001-01-01T00:00:00Z" {
._internal.timestamp = ts
._internal."@timestamp" = ts
}
```
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Contributor
Author
|
/retest |
vparfonov
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@vparfonov: This pull request references LOG-8697 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Contributor
Author
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
Contributor
Author
|
/test e2e-target |
|
PR-Agent: could not fine a component named |
Contributor
|
@vparfonov: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
backport #3226
/cc @cahartma @Clee2691
/assign @jcantrill
Links