I cannot query fields in documents ingested by the elasticsearch filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline. I have already posted this query on the Beats forum but have received no reply so I was hoping someone here could offer some advice.
Essentially I used the filebeat module cisco --pipelines command to create ingest pipelines in elasticsearch. Everything related to ingesting my cisco logs using that pipeline is working great except for the fact that I cannot query any phrase in any field unless it is an exact match. I cannot simply use a match query to find documents containing individual words or phrases.
If I index the exact same logs through logstash without sending through the filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline, then behavior is exactly like I have always experienced and I can query as normal.
From what I can see from GET _ingest/pipeline/, it appears that the original message is being processed into log.original, then into event.orginal but I can't make out more than that.
Can anyone help me understand what I'm experiencing?