Sorry I've been meaning to post.
I've spent all weekend reindexing (GBs of data..) so I could do more tests after I delete the winlogbeat-*
(From what I gather that's the only way since you can't just change the field type on existing indices)
For starters you will have to change this for sure:
- equals.winlog.event_id: 4634
to
- contains.winlog.event_id: "4634"
Since "winlog.event_id" is now a string
- The
containscondition checks if a value is part of a field. The field can be a string or an array of strings. The condition accepts only a string value.
I still have another cluster to upgrade, will make the change in the winlogbeat config first and see whether that's sufficient. I have a feeling it's not as after reindexing the field type is correct (text)
{
"winlogbeat-7.13.0-2021.05.29" : {
"mappings" : {
"event.code" : {
"full_name" : "event.code",
"mapping" : {
"code" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
},
"winlog.event_id" : {
"full_name" : "winlog.event_id",
"mapping" : {
"event_id" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
}
}
}