Trying to use the data_stream.namespace in the subject for Jira Action, but it does not pull any data, I see the data in the json for the alert. Please help.
{
"_index": ".internal.alerts-security.alerts-default-000001",
"_id": "13f0cfc690c7cf23cf7da60c113f0986e22a1cff64ad3a1fefd45ce3311c083a",
"_score": 1,
"fields": {
"data_stream.namespace": [
"xyz"
]
}
}
@jguilford The data_stream.* fields are presently mistakenly included in alerts and will be removed or renamed likely in the future. [Security Solution] Gracefully handle `data_stream.*` fields in alert source data · Issue #171104 · elastic/kibana · GitHub explains more. In the meantime however, I think kibana.space_ids === data_stream.namespace, and is another field that should have the same value that can be used in it's place. event.dataset should equal data_stream.dataset, there is not one I see that should be the same for data_stream.type, but hopefully there is another field in event.* or kibana.alert.* that will work if you need to use that one.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.