Hello,
I have a problem with the default component templates for logs index. According to the documentation, 4 component templates should be used:
logs@mappingslogs@settingslogs@customecs@mappings
However, despite the presence of a custom mapping to add a normalizer in the component template logs@custom, this is not used in all my log integrations.
In Index Templates, if I check the logs, I can see the 4 component templates. However, if I take another one linked to an integration (logs-azure.eventhub for example), I don't find the 4 but only the logs@settings and ecs@mappings in addition to those linked to the integration and .fleet_globals-1 + .fleet_agent_id_verification-1.
In my list of Component Templates in Management, it says that logs@custom is only used by logs but logs@settings is marked with 97, I don't know if this is normal.
Note that I had set up this component template to test before this configuration was deployed. I can't try to delete it and recreate it from Kibana since it's used by logs and I don't want to break everything by trying to delete it from the API.
Has this problem already been encountered and does anyone have a solution? Have I missed a specific configuration so that logs@custom and logs@mappings are missing from my Index Templates?
I know there's the composed_of configuration in the index templates, so I shouldn't have to modify the index templates managed by Fleet.
I don't know if I can give you more details?
My version of ELK: 8.14.0
Thank you.