Hi all,
in Trend Micro Vision One integration, I added a custom pipeline:
{
"json": {
"field": "event.original",
"target_field": "details",
"if": "ctx?.trend_micro_vision_one.detection.product.name == 'Vision One Container Security'"
}
This creates the field details.rawDataStr.
I defined a custom mapping to define this field as Text.
If I check the index mapping created after the rollover from Index Management > Indices > Index details > Mappings, this field is actually text. However, in Discover, among the Available Fields, the field details.rawDataStr is keyword. Why? Thanks in advance for your answers.
What version are you on.
Run on what the new index (post rollover) and old pre-rollover
GET .ds-logs-trend_micro_vision_one.detection-default-2024.12.15-000001/_mapping/field/details.rawDataStr
BUT if an old index is defined one type and new defined new type there is a conflict and I an not sure which way Discover will show...
Hi @stephenb ,
the version is: v 8.16.1.
the context is what you say. The details.rawDataSt field was keyword. I later changed it to text and did rollover.
Right so Discover will not necessarily show your new mapping when there are 2 different types in the Data view ..
If you run the command above and check the mapping and it's correct.... Then it's correct... When there are no more indices with the old mapping and you refresh the browser (because the mappings a cached locally) it should be correct