HI,
I'm trying to create a simple rule that checks host.name field:
But no signal is generating. here is my index mapping.
I can see events in timeline using the same query.
But no signal is generating. here is my index mapping.
HI @Frank_Hassanabad,
Sorry for bothering you. I saw this post and I thought it might be a problem with my @timestamp too.
Here's a sample log.
I posted my mapping in the original post but I don't think that's the problem.
I'm using a grok processor in ingest pipeline and my patterns don't parse @timestamp field. but it'll have a value after processing.
Any help would be highly appreciated
hi,
what user are running as ? Please try as "superadmin" just to see if iti s not related to permissions
I'm using the default superadmin user, a.k.a elastic.
And I can create the same rule with another index and it works fine.
Hi-ya' @borna_talebi,
So I took a look at this and you're in luck 
that we have improved the upcoming soon to be released 7.10.0 to bubble up more errors about ECS mapping issues to tighten up this feedback loop about errors from custom source indexes.
In the meantime, I tried out the latest experimental version and here are the two errors I can see in my environment for you to fix and everything should work out:
host.ip should be of the data type, "ip" and not "keyword"
"ip": {
"type": "ip",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
And then second you need to change user to be a type of object with a name underneath it:
"user": {
"properties": {
"name": {
"type": "keyword"
}
}
},
I changed both of those and everything worked out w/ the mapping and sample data set you gave me.
ECS references:
Thanks a lot! It worked!
Looking forward to 7.10.0 update
1 Like
Good to hear and thank you for coming back to let the next person know this is what fixed it.
2 Likes
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.