I am trying to create an alert containing the fields populated(host.name,user.name,file.name,process.name), however when the rule trigger the alert it seems that these are not populated. I was advised that it is because we used our own parser and not aligned with ECS. Are there any fast work around like just renaming the fieldnames upon query so it will populate.
Hi, you can look into runtime fields to help you with aligning custom fields fast.
But I would suggest you to start work on aligning with ECS as much as possible as it will help you out a lot more in the long term.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.