Hi,
I am having issues over the past few days where every single field is being dropped in a document that is not a "date" field.
Any ideas why this could be the case?
Example:
{
"_index": "tid.496e3cfd-672c-47ae-9dfb-0d840b0aed80.2020.02.5",
"_type": "_doc",
"_id": "GYyaL3ABeXCM9bWDSY5E",
"_version": 1,
"_score": null,
"fields": {
"winlog_event_created": [
"2020-02-10T14:56:40.028Z"
],
"@timestamp": [
"2020-02-10T14:56:41.167Z"
]
},
"sort": [
1581346601167
]
}
Which should be:
{
"_index": "tid.496e3cfd-672c-47ae-9dfb-0d840b0aed80.2020.02.5",
"_type": "_doc",
"_id": "SuZQF3ABvIRm3KmPzrIi",
"_version": 1,
"_score": null,
"_source": {
"process_id": 920,
"id": "02b99d11-2d20-40f8-9fc7-7610bd7aba27",
"host": "ACL-LP032",
"record_number": "10290",
"event_data": {
"UserSid": "S-1-5-21-1879512415-1641104040-2350575588-10162",
"TSId": "1"
},
"opcode": "Info",
"type": "wineventlog",
"thread_id": 1172,
"provider_guid": "{dbe9b383-7cf3-4331-91cc-a3cb16a3b538}",
"@version": "1",
"beat": {},
"tags": [
"windows"
],
"source_name": "Microsoft-Windows-Winlogon",
"compass_collectorless": true,
"computer_name": "ACL-LP032.aurigaconsulting.local",
"compass_device_id": "7889f402-3509-4ecb-8d3f-7509b5ee136f",
"log_name": "System",
"level": "Information",
"tenant": "496e3cfd-672c-47ae-9dfb-0d840b0aed80",
"message": "User Log-off Notification for Customer Experience Improvement Program",
"@timestamp": "2020-02-05T21:45:28.064Z",
"event_id": 7002,
"type": "wineventlog",
"user": {
"identifier": "S-1-5-18",
"domain": "NT AUTHORITY",
"name": "SYSTEM",
"type": "User"
},
"result": "wineventlog-System-7002"
},
"fields": {
"@timestamp": [
"2020-02-05T21:45:28.064Z"
]
},
"sort": [
1580939128064
]
}