event.created is the same as@timestamp, but it's supposed to be the time that Filebeat read the log as per ECS https://www.elastic.co/guide/en/ecs/current/ecs-event.html#field-event-created.
event.created contains the date/time when the event was first read by an agent, or by your pipeline.
This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
|
- date: |
|
field: json.eventTime |
|
target_field: "@timestamp" |
|
ignore_failure: true |
|
formats: |
|
- ISO8601 |
|
- set: |
|
field: event.created |
|
value: '{{@timestamp}}' |
event.created is the same as
@timestamp, but it's supposed to be the time that Filebeat read the log as per ECS https://www.elastic.co/guide/en/ecs/current/ecs-event.html#field-event-created.integrations/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml
Lines 19 to 27 in a1709e9