From 590b497cf7c3b8c60fa56340f698dd555c246a63 Mon Sep 17 00:00:00 2001
From: Andrew Kroh <andrew.kroh@elastic.co>
Date: Fri, 6 Nov 2020 11:50:51 -0500
Subject: [PATCH] Add event.ingested to Netflow module (#22412) (#22449)

Add event.ingested to the pipeline in the Netflow Filebeat module.

(cherry picked from commit fa9ebaad68c1b5ed18e449e9a2fb5f1cbf506857)
---
 CHANGELOG.next.asciidoc                                | 1 +
 x-pack/filebeat/module/netflow/log/ingest/pipeline.yml | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 96821eaf613..23647a64622 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -741,6 +741,7 @@ field. You can revert this change by configuring tags for the module and omittin
 - Copy tag names from MISP data into events. {pull}21664[21664]
 - Added DNS response IP addresses to `related.ip` in Suricata module. {pull}22291[22291]
 - Added TLS JA3 fingerprint, certificate not_before/not_after, certificate SHA1 hash, and certificate subject fields to Zeek SSL dataset. {pull}21696[21696]
+- Added `event.ingested` field to data from the Netflow module. {pull}22412[22412]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/module/netflow/log/ingest/pipeline.yml b/x-pack/filebeat/module/netflow/log/ingest/pipeline.yml
index 934e33ad564..a793268db3d 100644
--- a/x-pack/filebeat/module/netflow/log/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/netflow/log/ingest/pipeline.yml
@@ -2,6 +2,10 @@
 description: Pipeline for Filebeat NetFlow
 
 processors:
+  - set:
+      field: event.ingested
+      value: '{{_ingest.timestamp}}'
+
   # IP Geolocation Lookup
   - geoip:
         if: ctx.source?.geo == null