One(1) date-field as default in index templates is not enough, or is it?

It would be beneficial to have one more, i.e:
@timestamp when the logs are written, solves the question "When did the incident occur?"
@received_at when the logs are read, solves the question "When did we know the incident occurred?"

What are your thoughts?

Having to manually manipulate index templates, input filters and so forth every upgrade gets old fast for an application maintainer.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.