Fortigate Integration - Separation of logs datastream based on a field value

Hello @stephenb ,
I tested your recommandation and the output is OK in testing phase.

Output:

{
  "docs": [
    {
      "doc": {
        "_index": ".ds-fortinet_fortigate.log_forward-default",
        "_version": "-3",
        "_id": "bx3Uf5gBGjSND2_adBI3",
        "_source": {
          "agent": {
            "name": "<AGENT_NAME>",
            "id": "<AGENT_ID>",
            "type": "filebeat",
            "ephemeral_id": "24a8a5ad-f1ea-4b4a-bde9-ab67c3862d32",
            "version": "8.16.6"
          },
...
          },
          "event": {
            "code": "0000000013",
            "timezone": "+0200",
            "kind": "event",
            "start": "2025-08-06T16:37:28.894+02:00",
            "type": [
              "connection",
              "end",
              "denied"
            ],
            "duration": 0,
            "agent_id_status": "verified",
            "ingested": "2025-08-06T14:41:26Z",
            "action": "deny",
            "category": [
              "network"
            ],
            "dataset": "fortinet_fortigate.log_forward",
            "outcome": "success"
          }
        },
        "_ingest": {
          "timestamp": "2025-08-06T16:04:25.65708688Z"
        }
      }
    }
  ]
}

Yet, after applying this, no no datastream is created.

I'm thinking about these problems that you guys talk about : New index not created by ingestion pipeline - #19 by leandrojmp

and it could be a permission problem : Could it be that ?