due to the fact that i need the real @timestamp from the log lines, not when the line was received, i'll have to move
from filebeat > elasticsearch
to filebeat > logstash > elasticsearch.
shame, because i like the simplicity.
i also love the sample kibana dashboards, and would like to keep them, even after logstash does its thing.
what's the best way to accomplish this?
maintain the index name pattern?
keep the filebeat fields?
what if i update filebeat and the mapping changes?