Example ECS event

ecs-example.json

{
  "@timestamp": "2018-12-07T11:05:07.000Z",
  "agent" : {
    "type": "filebeat",
    "version": "7.0.0-beta1"
  },
  "ecs": { "version": "1.0.0" },
  "event": {
    "action": "get",
    "dataset": "apache.access",
    "original": "10.42.42.42 - - [07/Dec/2018:11:05:07 +0100] \"GET /blog HTTP/1.1\" 200 2571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\""
  },
  "http" : {
    "request": {
      "method": "get",
      "referrer": "-"
    },
    "response": {
      "body": { "bytes": 2571 },
      "status_code": 200
    },
    "version": "1.1"
  },
  "host": {
    "architecture": "x86_64",
    "hostname": "webserver-blog-prod",
    "id": "i-1234567890abcdef0",
    "ip": "10.166.166.166"
  },
  "message": "\"GET /blog HTTP/1.1\" 200 2571",
  "service": {
    "name": "Company blog",
    "type": "apache"
  },
  "source": {
      "geo": {
      "continent_name" : "Asia",
      "location" : {
        "lon" : 126.97409999999999,
        "lat" : 37.5112
      },
      "country_iso_code" : "KR"
    },
    "ip": "10.42.42.42"
  },
  "url": { "original": "/blog" },
  "user": { "name": "-" },
  "user_agent" : {
    "name" : "Chrome",
    "original" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
    "os" : {
      "name" : "Mac OS X",
      "version" : "10.14.0",
      "full" : "Mac OS X 10.14.0"
    },
    "device" : {
      "name" : "Other"
    },
    "version" : "70.0.3538"
  }
}

The @timestamp should be 2018-12-07T10:05:07.000Z (if it's taken from "[07/Dec/2018:11:05:07 +0100]").

geo in source should be dedented by 2 blanks to make it easier to read:

  "source": {
    "geo": {
      "continent_name" : "Asia",
      "location" : {
        "lon" : 126.97409999999999,
        "lat" : 37.5112
      },
      "country_iso_code" : "KR"
    },
    "ip": "10.42.42.42"
  },