From c4cba0cd6c657afd2068d9603523ee8734852fcd Mon Sep 17 00:00:00 2001
From: Jan Drees <jdrees@mailbox.org>
Date: Fri, 27 Sep 2024 09:48:38 +0200
Subject: [PATCH] Add timestamp_field to the documentation

---
 docs/source/ruletypes.rst | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/source/ruletypes.rst b/docs/source/ruletypes.rst
index 8b57fe1e..60bc8a32 100644
--- a/docs/source/ruletypes.rst
+++ b/docs/source/ruletypes.rst
@@ -142,6 +142,8 @@ Rule Configuration Cheat Sheet
 +--------------------------------------------------------------+           +
 | ``buffer_time`` (time, default from config.yaml)             |           |
 +--------------------------------------------------------------+           |
+| ``timestamp_field`` (string, default "@timestamp")           |           |
++--------------------------------------------------------------+           |
 | ``timestamp_type`` (string, default iso)                     |           |
 +--------------------------------------------------------------+           |
 | ``timestamp_format`` (string, default "%Y-%m-%dT%H:%M:%SZ")  |           |
@@ -971,6 +973,14 @@ summary_suffix
 
 ``summary_suffix``: Specify a suffix string, which will be added after the aggregation summary table. This string is currently not subject to any formatting.
 
+timestamp_field
+^^^^^^^^^^^^^^
+
+``timestamp_field``: Specify the name of the document field containing the timestamp. 
+By default, the field ``@timestamp`` is used to query Elasticsearch. 
+If ``timestamp_field`` is set, this date field will be considered whenever querying, filtering and aggregating based on timestamps.
+(Optional, string, default @timestamp).
+
 timestamp_type
 ^^^^^^^^^^^^^^