Copy timestamp to event.end instead of parsing date again

elastic · Jan 22, 2019 · af68418 · af68418
1 parent 5fed5a9
commit af68418
Showing 1 changed file with 3 additions and 5 deletions.
diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json
@@ -181,11 +181,9 @@
       ,"ignore_failure": true
       }
     }
-  , {"date":
-      {"field": "suricata.eve.timestamp"
-      ,"target_field": "event.end"
-      , "formats": ["ISO8601"]
-      ,"ignore_failure": true
+  , {"set":
+      {"field": "event.end"
+      ,"value": "{{@timestamp}}"
       }
     }
   , { "script":