I'm shipping logs from a number of hosts via a single filebeat running on a collector. As a result, the default primary key used by the SIEM app host.name is not very useful to me. host.hostname would work a lot better. Can I change the primary key for identifying hosts in the SIEM app? Can I alternatively add/remove/change lines in my filebeat.yml to remap fields so that host.name will contain the same data as host.hostname?
Could I maybe work around this problem by using the copy_fields processor? I've tried something like this:
processors:
- copy_fields:
fields:
- from: host.hostname
to: host.name
fail_on_error: false
ignore_missing: true
But, I don't seem to get the desired result...
I haven't done this before as I particularly enjoy using host.name but this might be helpful as it looks like someone else has done this before:
Sorry for the slow response. I was without reliable access for a couple of days. I'm interested in the approach of declaring a new ingest pipeline, but could use a little direction in that regard. I've been working on dropping/copying/renaming fields as a parallel solution without much luck. I cannot access host.hostname from my processors for some reason.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.