timestamp reordering (should be first)

[arianf]

timestamp should be the first thing in the hash, given that splunk will only parse by default the first 128 characters of a json MAX_TIMESTAMP_LOOKAHEAD default is 128

Since message is almost always a variable length, and timestamp is always a fixed length, I think by default the order of timestamp should be first in the ruby hash.

https://github.com/dwbutler/logstash-logger/blob/b8f5403c44150f10d15b01133f8b6d1e9eb31806/lib/logstash-logger/formatter/base.rb#L30-L43

could be rewritten to:

        event = case data
                  when LogStash::Event
                    data.clone
                  when Hash
                    event_data = data.clone
                    event_data['@timestamp'.freeze] = time
                    event_data['message'.freeze] = event_data.delete(:message) if event_data.key?(:message)
                    event_data['tags'.freeze] = event_data.delete(:tags) if event_data.key?(:tags)
                    event_data['source'.freeze] = event_data.delete(:source) if event_data.key?(:source)
                    event_data['type'.freeze] = event_data.delete(:type) if event_data.key?(:type)
                    LogStash::Event.new(event_data)
                  else
                    LogStash::Event.new("@timestamp".freeze => time, "message".freeze => msg2str(data))
                end

[arianf]

In the meantime, I have the following workout which is not great:

customize_event: lambda do |event|
  event.instance_variable_set(
    :@data,
    { timestamp: event.timestamp.iso8601(6) }.merge(event.instance_variable_get(:@data))
  )
end