Team,
we are using functionbeat for ingesting cloudtrail logs to ES. Previously we were using Logstash to parse cloudtrail data.
Now in both the case, we observed that overall field count is too high.. its almost touching 3500 fields. Also, we observed it throwing field expansion limit of 1024 fields getting abnormally high and that itself touching almost 2500 sub-fields. is there a way to handle it and how exactly you guys are managing cloudtrail logs ingestion in your organization.