What is the most appropriate name for the timestamp when utilizing Logstash to parse logs into Elasticsearch, then visualizing with Kibana?
I am defining the timestamp using date in a filter:
date {
match => [ "logtime", "yy-MM-dd HH:mm:ss" ]
}
Logstash automatically puts this into the @timestamp field. Kibana can be configured to use any correctly formatted field as the timestamp, but it seems to be correct to use _timestamp in Elasticsearch. To do that, you have to mutate and rename the datestamp field.
mutate {
rename => { "@timestamp" => "_timestamp" }
}
Which is slightly annoying.
This question could be entirely semantic - but is it most correct to use _timestamp, or is it just fine to use @timestamp? Are there any other considerations which should influence the naming of the timestamp field?
Elasticsearch allows you to define fields starting with an underscore, however, Kibana (since v4) will only show the ones declared outside of the _source document.
You should definitely keep with @timestamp which is the standard way to name the timestamp field in Logstash. Kibana will not allow you to use _timestamp.