From 14559b081d857709f3aed9c5761f07e3a27dd598 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 12 Oct 2020 17:19:23 +0000
Subject: [PATCH] Ensure Zeek logs without ts field have an @timestamp field
 associated

---
 salt/elasticsearch/files/ingest/zeek.common | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/elasticsearch/files/ingest/zeek.common b/salt/elasticsearch/files/ingest/zeek.common
index 76bdd700e..563f5956b 100644
--- a/salt/elasticsearch/files/ingest/zeek.common
+++ b/salt/elasticsearch/files/ingest/zeek.common
@@ -1,7 +1,8 @@
 {
   "description" : "zeek.common",
   "processors" : [
-    { "rename":		{ "field": "@timestamp",	"target_field": "ingest.timestamp",	"ignore_missing": true					} },
+    { "rename":         { "if": "ctx.message2?.ts != null", "field": "@timestamp",      "target_field": "ingest.timestamp",     "ignore_missing": true                                  } },
+    { "set":            { "if": "ctx.message2?.ts == null", "field": "ingest.timestamp",      "value": "{{ @timestamp }}"       } },
     { "rename":         { "field": "message2.uid",              "target_field": "log.id.uid",                  "ignore_missing": true  } },
     { "dot_expander":   { "field": "id.orig_h",                 "path": "message2",                     "ignore_failure": true  } },
     { "dot_expander":   { "field": "id.orig_p",                 "path": "message2",                     "ignore_failure": true  } },