Filebeat 7.2's osquery module not respecting var.use_namespace: false

DPattee · July 20, 2019, 5:06am

The documentation at Osquery module | Filebeat Reference [8.11] | Elastic says:

var.use_namespace

If true, all fields exported by this module are prefixed with osquery.result . Set to false to copy the fields in the root of the document. If enabled, this setting also disables the renaming of some fields (e.g. hostIdentifier to host_identifier ). Note that if you set this to false, the sample dashboards coming with this module won’t work correctly. The default is true.

So I'd expect a config of:

- module: osquery
  result:
    enabled: true
    var.use_namespace: false

to change the messages I receive. But there is no difference whether that line says true, false, or is deleted so the true default is used.

The documents still are in the form:

{
  "_index": "filebeattest6",
  [...],
    "osquery": {
      "result": {
        "columns": {
          "max_rpm": "1836",
          "target_rpm": "790",
          "name": "Main ",
          "min_rpm": "790",
          "actual_rpm": "789",
          "fan_id": "0"
        },

pierhugues · July 25, 2019, 6:41pm

Hello @DPattee

You after you set that variable you have to reinstall the pipelines, because the conditional is baked at install time.

./filebeat setup --piplines --modules  osquery

system · August 22, 2019, 6:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.