What is the significance of read_timestamp and how to specify it in filebeat config

Official documentation says :
read_timestamp
In case the ingest pipeline parses the timestamp from the log contents, it stores the original @timestamp (representing the time when the log line was read) in this field.

However I am not able to figure how and where to use this read_timestamp? what is the use case where it will be helpful.

You can't configure in the Filebeat config if you want to this field or not. An interesting value you could get out of it is the difference in the time when the event was read vs when the log event actually happened. If you don't need to the field best just ignore it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.