From the page:
https://www.bro.org/sphinx/components/bro-plugins/elasticsearch/README.html
And a couple more (guess what I’m doing today…)
The below fixes dots in field names (id.orig_h for example) with ES 2.4.0:
https://www.elastic.co/guide/en/elasticsearch/reference/current/dots-in-names.html
a lot of your fields you can map via Kibana, but a couple you can’t, namely ts, id.orig_h, id.resp_h. Once that’s done here’s a curl line to create a mapping template:
curl -XPUT “http://localhost:9200/_template/bro_template” -d’
{
“template”: “bro-*”,
“mappings”: {
“bro_ts”: {
“properties”: {
“ts”: {
“type”: “date”,
“format”: “epoch_millis”
}
}
},
“bro_orig_h”: {
“properties”: {
“id.orig_h”: {
“type”: “ip”
}
}
},
“bro_resp_h”: {
“properties”: {
“id.resp_h”: {
“type”: “ip”
}
}
}
}
}’
this will allow new indexes to have the above. For me as this is a new install I just nuked all bro-* indexes and started over, THEN I went to Kibana to add bro-* as an index where ts shows as the time-field name:
Hope this helps someone in the world 
James
In 2.5 (beta right now), you can do this...
redef Log::default_scope_sep = "_";
That will get rid of periods from your logs field names in all logs.
.Seth
Excellent....file that under the "more than one way to skin a cat" category...looking forward to 2.5..thanks Seth.
James