Elasticsearch output question. How can I get the default `@timestamp`; on elastic output? It seems like `_time` should be automatically be renamed to `@timestamp`; .
Page 3 / 3
That's the document I set manually. Not working 
Documentation problem maybe regarding "ingest pipeline". I used the field "Elastic pipeline" but that didn't work. I had to use the "extra parameters".
Not working:
Working:
I had problems with an older version of Cribl with the pipeline, it wasn't being put in the correct place in the url that was constructed for the API call
After adding the extra parameter, I see this: `POST /_bulk?pipeline=remove_id HTTP/1.1`
What do you see when it is specified in the Elastic pipeline field?
I feel a bug report coming on....
Just `_bulk`
Was just looking at this with somebody else. The problem is that it needs to be "quoted"
Then, it shows up in the proper place:```{"create":{"_index":"interfaces-sensors-ptx","pipeline":"remove_id","_id":"885zjZkprnmYaz69"}}```
I think this should be a little clearer:```Elastic pipeline: To send data to an Elastic Ingest pipeline, optionally enter that pipeline's name as a constant.```
optionally should not be there. It should say JavaScript or quoted constant.
Sheesh, <@UUP82DJHE>, nothing like calling me in at the end of a crazy long thread. But thanks for tagging me, I'll see if we can get that cleared up.
Hi <@U0410L186KS>, if you just want to add the new @timestamp field to the event, in place of _time... this is an easy way to create a field with special characters.
`__e['@timestamp';]`
<@U02JJLAGJHF> Thanks. I also see that "undefined". Learning the tricks
then "undefined" just eliminates that other `_time` field from the event. Enjoy!!!
What is so special with `__e` ?
Yep, steal the time from _time, throw it into a new custom field, then get rid of _time.
__e allows you to create/reference fields with custom characters.
Refer to this for more info:https://docs.cribl.io/stream/introduction-reference#special-chars
Sometimes you will need to reference a field from a source that uses those "non standard" characters, etc. This way you can still use that data, or correct it, before moving on. OK? Good Luck <@U0410L186KS>
Got it.
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.