Thanks for the response, it does seem like the pattern is actually wrong. Aside from the pattern being incorrect, I noticed that the issue is with the data itself that i'm pulling from our Microsoft sql DB. The data in the DB is marked as "__createdAt" however when the data is pulled in from Logstash into Elasticsearch it appears as "createdat.timestamp" and " createdat.Offset". I suppose my first question is what is splitting my "__createdAt" field into the aforementioned two other fields and when is it happening?
Secondly i'm curious if there is anything I can do about it or how I should be looking for this field in my Grok match patterns?