AWS integration version 0.3.12 uses an ingestion node pipeline to set the event.ingested field to the ingestion timestamp. There is no mapping for this field in the index template so it defaults to keyword type, which breaks searching on the affected shards. No events are returned using a filter of data_stream.dataset:aws.cloudtrail.
Adding an explicit mapping for event.ingested to Date type in the index template fixes the issue.
Good catch, this looks odd. I'm getting help from someone who knows more about this integration.
This is being tracked in https://github.com/elastic/integrations/issues/473 now.
Thanks for spotting it!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.