Hello,
In our elasticsearch index, we have a field time that records the time a document was inserted, we would like to update the index to store this in the default time stamp field (_timestamp).
The default timestamp field is @timestamp.
Are you using Logstash?
Please don't do this, it's very annoying and will likely just see any people you ping ignore you.
No we don't currently use logstash.
OK, thanks for informing me.
What are you using then?
We just have an elasticsearch index, we are planning to use elastalert for alerting and it (elastalert) requires the @timestamp field for sorting.
I've had to normalize times across logs, you want to keep the timestamp field, but might have an operation parsing out the date to match a particular format. You can
in your GROK section add the following two lines:
date { match => [ "timestamp", "MMM d HH:mm:ss" ] } #or whatever you want your timestamp field to appear as, and make sure the MMM d.. matches how your embedded timestamp looks in your file. overwrites timestamp
add_field => [ "received_at", "%{@timestamp}" ] #preserves the original time the file was received