One(1) date-field as default in index templates is not enough, or is it?


It would be beneficial to have one more, i.e:
@timestamp when the logs are written, solves the question "When did the incident occur?"
@received_at when the logs are read, solves the question "When did we know the incident occurred?"

What are your thoughts?

Having to manually manipulate index templates, input filters and so forth every upgrade gets old fast for an application maintainer.


This post was flagged by the community and is temporarily hidden.