It would be beneficial to have one more, i.e:
@timestamp
when the logs are written, solves the question "When did the incident occur?"
@received_at
when the logs are read, solves the question "When did we know the incident occurred?"
What are your thoughts?
Having to manually manipulate index templates, input filters and so forth every upgrade gets old fast for an application maintainer.