You need to tell Elasticsearch to treat that field as a date. Once Elasticsearch knows that it is a date, then Kibana will display it properly.
The Elasticsearch template for Bro that is shipped with Metron can be used as a guide. The template already handles this situation . Either directly install that template or create your own template using Metron's as a guide.
- You can either define it specifically for one field, like this.
- Or specify multiple fields that should be treated as dates, like this.
Also, note that the change will only take effect after the index rolls. if the indices roll every hour, then you need to wait until the next hour to see the change. Or if your data is disposable, just delete the index and see your change take effect immediately.