You do not need a sprintf reference, just give it the name of the field. Also, [start] is in milliseconds.
date { match => ["start", "UNIX_MS"] }
Also, if you are reading CEF messages from an input then a cef codec might help you. But only if the messages are pure CEF. If there is a header or trailer the codec will not work. (Personally I would love to see a cef filter in addition to a cef codec.)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.