How can I get the default `@timestamp` on elastic output?

That's the document I set manually. Not working :slightly_smiling_face:

Documentation problem maybe regarding "ingest pipeline". I used the field "Elastic pipeline" but that didn't work. I had to use the "extra parameters".

Not working:

Working:

I had problems with an older version of Cribl with the pipeline, it wasn't being put in the correct place in the url that was constructed for the API call

After adding the extra parameter, I see this: `POST /_bulk?pipeline=remove_id HTTP/1.1`

What do you see when it is specified in the Elastic pipeline field?

I feel a bug report coming on....

Just `_bulk`

Was just looking at this with somebody else. The problem is that it needs to be "quoted"

Then, it shows up in the proper place:```{"create":{"_index":"interfaces-sensors-ptx","pipeline":"remove_id","_id":"885zjZkprnmYaz69"}}```

I think this should be a little clearer:```Elastic pipeline: To send data to an Elastic Ingest pipeline, optionally enter that pipeline's name as a constant.```

optionally should not be there. It should say JavaScript or quoted constant.

<@U03CJ90F91A&gt; :point_up:

Sheesh, <@UUP82DJHE&gt;, nothing like calling me in at the end of a crazy long thread. But thanks for tagging me, I'll see if we can get that cleared up.

Hi <@U0410L186KS&gt;, if you just want to add the new @timestamp field to the event, in place of _time... this is an easy way to create a field with special characters.

`__e['@timestamp';]`

<@U02JJLAGJHF&gt; Thanks. I also see that "undefined". Learning the tricks

then "undefined" just eliminates that other `_time` field from the event. Enjoy!!!

What is so special with `__e` ?

Yep, steal the time from _time, throw it into a new custom field, then get rid of _time.

__e allows you to create/reference fields with custom characters.

Refer to this for more info:https://docs.cribl.io/stream/introduction-reference#special-chars

Sometimes you will need to reference a field from a source that uses those "non standard" characters, etc. This way you can still use that data, or correct it, before moving on. OK? Good Luck <@U0410L186KS&gt;

Got it.