Winlogbeat modified to Text and Keyword

mathurin68 · January 16, 2018, 4:22pm

I modified winlogbeat template -
Current -

{
  "winlogbeat-2018.01.02": {
    "mappings": {
      "doc": {
        "event_data.CommandLine": {
          "full_name": "event_data.CommandLine",
          "mapping": {
            "CommandLine": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        }
      }
    }
  }
}

to this ...

{,
        {
          "event_data": {
            "mapping": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            },
            "match_mapping_type": "string",
            "path_match": "event_data.*"
          }
        }

and it seemed to work -

Text field works and I can run full text searches on everything BUT the keyword field is totally empty...

mathurin68 · January 16, 2018, 5:11pm

Alright correction, the field doesn't work in the 'Discover', but I can do aggregations in Visualize???? No idea what I did...

but the field is empty in 'Discover' --

No idea... but appreciate any suggestions.

Topic		Replies	Views
Multi-field on CommandLine in Winlogbeat Beats winlogbeat	6	1310	February 13, 2018
Map winlog.event_data.param* to text Beats winlogbeat	1	243	May 8, 2023
Winlogbeat missing mapping fields Beats filebeat , packetbeat , metricbeat , winlogbeat	19	1778	November 20, 2020
Winlogbeat event_data.param17 format change with MapperParsingException Beats winlogbeat	3	843	May 17, 2017
winlog.event_data.Image.keyword not populated Beats winlogbeat	3	751	November 18, 2021

Winlogbeat modified to Text and Keyword

Related topics