Can I change the primary key for identifying hosts in the SIEM app?

I'm shipping logs from a number of hosts via a single filebeat running on a collector. As a result, the default primary key used by the SIEM app is not very useful to me. host.hostname would work a lot better. Can I change the primary key for identifying hosts in the SIEM app? Can I alternatively add/remove/change lines in my filebeat.yml to remap fields so that will contain the same data as host.hostname?

Could I maybe work around this problem by using the copy_fields processor? I've tried something like this:

    - copy_fields:
            - from: host.hostname
        fail_on_error: false
        ignore_missing: true

But, I don't seem to get the desired result...

I haven't done this before as I particularly enjoy using but this might be helpful as it looks like someone else has done this before:

Sorry for the slow response. I was without reliable access for a couple of days. I'm interested in the approach of declaring a new ingest pipeline, but could use a little direction in that regard. I've been working on dropping/copying/renaming fields as a parallel solution without much luck. I cannot access host.hostname from my processors for some reason.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.