The CloudwatchLogs transformer in functionbeat (see here) is using time.Now() for the Timestamp field (ends up as @timestamp in Elasticsearch) rather than extracting the 'timestamp' field from the CloudWatch event, which is there alongside the 'message'.
This means the @timestamp in Elasticsearch is a variable number of seconds later than the actual time the log line was sent to CloudWatch, which is not helpful.
Is there any reason the code in the TODO cannot be uncommented?
Timestamp: time.Now(), // TODO: time.Unix(logEvent.Timestamp, 0),
As per the contributing guidelines I am asking here before filing an issue in GitHub.
Many thanks.
