I am also wondering if it is possible to rename the "@timestamp" field. For my logs I have a date field, "logdate", that is based on when the logs were originally created along with the "@timestamp" field for when they were sent to ES. I am hoping to rename "@timestamp" to something more descriptive like "stashdate" so that other users do not get confused by the two date fields.
Unfortunately neither are possible in kibana currently, though we do have a popular request for field name aliases here: https://github.com/elastic/kibana/issues/1896. How are you ingesting your data? Perhaps you can change the name at that level?
Thank you for the prompt reply! I am using Grok patterns to bring the data into ES through Logstash. I tried using the Logstash mutate filter plugin to rename @timestamp but got an error in the console about there being no @timestamp field. Is there another option to rename it before it is sent to Elasticsearch? Maybe copying the values to another field with a different name and then using remove_field for @timestamp?
You should be able to do this by giving the time field a custom field name, and then using the date filter plugin to make sure it's captured as a date type.
hmm, it does look like there is, as mentioned in the above blog post:
For bonus points, you can remove the now-superfluous timestamp field (since you overwrote @timestamp), by adding remove_field => "timestamp" to your date filter block. This will only delete the timestamp field upon successful conversion. This way you're not filling up your indices with a redundant timestamp field.
But it looks like you aren't using the date filter to achieve the second time field, so perhaps those instructions won't work. Have you checked out remove_field available in the ruby filter. Take a look at these docs:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
