Hello,
I'm upgrading winlogbeat 5.4.1 to 7.8.0. I saw that some fields are now prefixed by "winlog" (example: event_id became winlog_event_id).
Is there a setting, or is it possible to add rule to remove this prefix ? I saw the "rename" processor, but you can't use a rename pattern and I don't want to list all the fields to rename.
Thanks
EDIT: In fact, it's not a prefix but [event_id] is nested in [winlog]. So, is it possible to remove the additional [winlog] ?