Osquery exported fields

michaelv · January 6, 2022, 3:40am

I'm running 7.16.1 for everything.
including elastic-agent-7.16.1-linux-x86_64.tar.gz

I have a question on osquery exported fields.
From this URL: Osquery Manager | Elastic Docs
It states that fields like
interface_details.ibytes should be mapped as ibytes, "keyword, number.long"

When I imported it via fleet, osquery packs. With a simple
id: interface_details
interval: 60
query: select * from interface_details;

From the kibana gui on the retrieved data.
All the osquery.idrops , ipackets etc are mapped as text fields.

I thought it was suppose to be mapped as number.long?
Or am I missing something?

Regards,

Michael

michaelv · January 6, 2022, 4:07am

Sorry.. my mistake.. apparently when you visualise you actually see the value as
osquery.ibytes
osquery.ibytes.number

system · February 3, 2022, 4:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
OSQuery Integration user.id is [long] but ECS is [keyword] Elastic Security	3	259	June 7, 2023
Querying a LONG field Elasticsearch	5	362	July 6, 2017
List of integers vs list of long Elasticsearch	3	457	January 10, 2017
ES long field has string value indexed Elasticsearch	4	814	January 18, 2019
Date field mapping error with type [date] to [long] Elasticsearch	13	13542	May 19, 2021

Osquery exported fields

Related topics