Ingestion pipeline: setting @timestamp

Cristina_Marletta_Li · January 29, 2026, 5:30pm

Hi,

I'd like to set the @timestamp field to the value of event.ingested. It doesn't seem to be possible. My ingestion pipeline:

{
  "processors": [
    {
      "set": {
        "ignore_empty_value": true,
        "field": "time.original",
        "copy_from": "@timestamp"
      }
    },
    {
      "set": {
        "ignore_empty_value": true,
        "field": "@timestamp",
        "copy_from": "event.ingested"
      }
    }
  ],
  "on_failure": [
    {
      "set": {
        "field": "error.message",
        "value": "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message {{ _ingest.on_failure_message }}"
      }
    }
  ]
}

In events the value of @timestamp remains unchanged

Thanks for your help!

leandrojmp · January 29, 2026, 7:07pm

Hello,

Where are you using this? On a custom pipeline for some Elastic Agent integration?

Keith_Massey · January 30, 2026, 2:48pm

Can you give the steps to reproduce the problem? I just tried that pipeline using this:

PUT test/_doc/1?pipeline=test-pipeline
{
    "event": {"ingested": 1234},
    "@timestamp": 5679
}

I get the expected result:

{
  "_index": "test",
  "_id": "1",
  "_version": 17,
  "_seq_no": 17,
  "_primary_term": 1,
  "found": true,
  "_source": {
    "@timestamp": 1234,
    "time": {
      "original": 5679
    },
    "event": {
      "ingested": 1234
    }
  }
}

leandrojmp · January 30, 2026, 4:30pm

The main issue here is that if the OP is using a custom pipeline from any Elastic Agent integration, the event.ingested will not exist at the time the custom ingest pipeline is executed.

The event.ingested field is created by the .fleet_final_pipeline-1 ingest pipeline, which is set as the index.final_pipeline for all Elastic Agent integrations, so this will be only executed after all other pipelines.

All customizations when using Elastic Agent integrations will happen before the field is created, so the user cannot set the @timestamp to the value of event.ingested.

I think the close it can get is to use the value of _ingest.metadata, it will not be the same but probably very close, here is the example from the documentation.

Topic		Replies	Views
Ingest @timestamp Elasticsearch ingest-pipeline	3	468	May 3, 2023
Can't delete/change data in @timestamp field yielded by ingest processor Elasticsearch painless	6	1222	February 15, 2022
Using ingestion pipeline to add metadata information to documents Elasticsearch	2	1042	March 13, 2017
How to add time of ingestion to the document? Elasticsearch	3	3986	August 27, 2020
Ingest pipeline drops the field as @timestamp while loading Elasticsearch's server and slowlog using filebeat Beats filebeat	10	1527	October 5, 2020

Ingestion pipeline: setting @timestamp

Related topics