I changed the first solution (we were referring to) to be:
mutate
{
convert => { "acme.date" => "string" }
}
and it still does not convert acme.date from type date to string which strikes me as very odd since mutate/convert is documented as a working feature. It seems pointless to have such a feature if it doesn't work (which is my backward way of asking, rhetorically, why it does not). Clearly, the dissect clause is doing its job perfectly.
Note that, however unrelated and irrelevant, remove_field works:
filter
{
dissect
{
mapping =>
{
"message" => "%{acme.date} %{acme.time} CEF:%{acme.version}|%{acme.device_vendor}|%{acme.device_product}|%{acme.device_version}|%{acme.device_event_class_id}|%{acme.name}|%{acme.severity}|%{acme.extensions}"
}
remove_field => [ "message" ]
}
}
This removes the superfluous message field after the new, split-out fields have been created.