Broken waterfall view due to wrong mapping of timestamp.us field

[R0ky]

APM Server version (apm-server version): 8.15.2
We confirmed this bug affected all outputs except Elasticsearch, from 8.15.0 up to and including 8.19.12, 9.2.6 and 9.3.1.

Description of the problem including expected versus actual behavior:
After bundling APM related templates in Elasticsearch (confirmed Elasticsearch version 8.19.8, but others are likely also impacted), new templates do not contain an explicit mapping for timestamp.us, while previous versions did. If APM-server ships data directly to Elasticsearch, dynamic mapping works as expected and timestamp.us is mapped as long:

"timestamp": {
    "properties": {
        "us": {
            "type": "long"
        }
    }
}

If we introduce Logstash in between (APM Server -> Logstash -> Elasticsearch), then the field can get mapped as float which breaks the waterfall view:

   "timestamp": {
          "properties": {
            "us": {
              "type": "float"
            }
          }
        }

This is due to how the transformation between APMEvent to libbeat.Event works. This code path is used only for some outputs that travel through libbeat. The result is sometimes an output like this that is mapped by Elasticsearch dymanic mapping to float:

 "timestamp": {
        "us": 1.772028649517038E15

Steps to reproduce:

1. Deploy APM server 8.15.2
2. Deploy Logstash 8.19.8
3. Deploy Elasticsearch and Kibana 8.19.8
4. Configure APM server to ship data to Logstash
5. Configure Logstash to forward data to Elasticsearch without any filters
6. Instrument an application (java in this example)
7. Once APM data is indexed in Elasticsearch verify the mapping traces-apm* indices and notice wrong mapping of timestamp.us field
8. Review broken waterfall in traces UI

[lucabelluccini]

Workaround until this gets fixed is to create a traces-apm@custom component template with the following mapping:

  "mappings": {
      "properties": {
        "timestamp": {
          "properties": {
            "us": {
              "type": "long"
            }
          }
        }
      }
    }

[endorama]

I updated the description to update our understanding of the culprit for the issue. It does not lie on Logstash but on APM Server.

All APM Server outputs that are not Elasticsearch travel through libbeat, using a JSON marshalling implementation provided by the beater framework.

This is the problematic function:

apm-server/internal/publish/pub.go

Lines 183 to 209 in 38cc107

	func (t batchTransformer) Transform(context.Context) []beat.Event {
	out := make([]beat.Event, 0, len(t))
	var w fastjson.Writer
	for _, event := range t {
	// Encode the event to JSON, then decode into a map.
	// This is probably a bit horrifying, but enables us to
	// remove the libbeat dependency from our data model.
	//
	// This code path exists only for lesser-used outputs
	// that travel through libbeat. We mitigate the overhead
	// of the extra encode/decode by reusing a memory buffer
	// within a batch. This will also enable us to move away
	// from the intermediate map representation for events,
	// and encode directly to JSON, minimising garbage for
	// the Elasticsearch output.
	if err := modeljson.MarshalAPMEvent(event, &w); err != nil {
	continue
	}
	beatEvent := beat.Event{Timestamp: modelpb.ToTime(event.Timestamp)}
	if err := json.Unmarshal(w.Bytes(), &beatEvent.Fields); err != nil {
	continue
	}
	out = append(out, beatEvent)
	w.Reset()
	}
	return out
	}

And this is the problematic call:

apm-server/internal/publish/pub.go

Line 202 in 38cc107

if err := json.Unmarshal(w.Bytes(), &beatEvent.Fields); err != nil {

Here we're using Go stdlib json function and this leads to introducing the JSON float exponential notation, which Elasticsearch infers to be a float when no other mapping is specified.

This bug affect all outputs except Elasticsearch from 8.15.0 up to and including 8.19.12, 9.2.6 and 9.3.1.

The fix is to explicitly map the timestamp.us field to long, avoiding the Elasticsearch data type inference.

Working on it.

[endorama]

Draft PR is up: elastic/elasticsearch#143173

I've already tested the basic use case of sending data to a development build and it works as expected. The setup is APM Server => Logstash => Elasticsearch.

before:

❯ curl -s "http://localhost:9200/_field_caps?fields=timestamp.us&index=traces-apm*&pretty"
{
  "indices" : [
    ".ds-traces-apm-default-2026.02.26-000001"
  ],
  "fields" : {
    "timestamp.us" : {
      "float" : {
        "type" : "float",
        "metadata_field" : false,
        "searchable" : true,
        "aggregatable" : true
      }
    },
    "timestamp" : {
      "object" : {
        "type" : "object",
        "metadata_field" : false,
        "searchable" : false,
        "aggregatable" : false
      }
    }
  }
}

after:

❯ curl -s "http://localhost:9200/_field_caps?fields=timestamp.us&index=traces-apm*&pretty"
{
  "indices" : [
    ".ds-traces-apm-default-2026.02.26-000001"
  ],
  "fields" : {
    "timestamp.us" : {
      "long" : {
        "type" : "long",
        "metadata_field" : false,
        "searchable" : true,
        "aggregatable" : true
      }
    },
    "timestamp" : {
      "object" : {
        "type" : "object",
        "metadata_field" : false,
        "searchable" : false,
        "aggregatable" : false
      }
    }
  }
}

Now in process of testing the upgrade to the new dev build from 9.3.1.

We will need to add an integration test for this.

[endorama]

Tested upgrading from 9.3.1 to a development build that includes elastic/elasticsearch#143173

on 9.3.1:

checking timestamp.us type (expected float)
{"indices":[".ds-traces-apm-default-2026.02.27-000001"],"fields":{"timestamp.us":{"float":{"type":"float","metadata_field":false,"searchable":true,"aggregatable":true}},"timestamp":{"object":{"type":"object","metadata_field":false,"searchable":false,"aggregatable":false}}}}
upgrading Elasticsearch to elasticsearch:test

on development version:

checking timestamp.us type (expected long)
{"indices":[".ds-traces-apm-default-2026.02.27-000002"],"fields":{"timestamp.us":{"long":{"type":"long","metadata_field":false,"searchable":true,"aggregatable":true}},"timestamp":{"object":{"type":"object","metadata_field":false,"searchable":false,"aggregatable":false}}}}

We can observe a rollover happened from .ds-traces-apm-default-2026.02.27-000001 to .ds-traces-apm-default-2026.02.27-000002 and the field from float is now long.

Will finalize bugfix PR next.