基于这个问题，这可能是一个潜在的选择，那就是使用filebeat处理器。你可以做的是使用下面的脚本将初始的@timestamp值写入另一个字段，比如event.ingested：

#Script to move the timestamp to the event.ingested field
  - script:
      lang: javascript
      id: init_format
      source: >
        function process(event) {
            var fieldTest = event.Get("@timestamp");
            event.Put("event.ingested", fieldTest);
        }

然后，您编写的最后一个处理器可以使用以下处理器将event.ingested字段再次移动到@timestamp：

#setting the timestamp field to the Date/time when the event originated, which would be the event.created field        
  - timestamp:
      field: event.created
      layouts:
        - '2006-01-02T15:04:05Z'
        - '2006-01-02T15:04:05.999Z'
        - '2006-01-02T15:04:05.999-07:00'
      test:
        - '2019-06-22T16:33:51Z'
        - '2019-11-18T04:59:51.123Z'
        - '2020-08-03T07:10:20.123456+02:00'