Winlogbeat modified to Text and Keyword

mathurin68 · January 16, 2018, 4:22pm

I modified winlogbeat template -
Current -

{
  "winlogbeat-2018.01.02": {
    "mappings": {
      "doc": {
        "event_data.CommandLine": {
          "full_name": "event_data.CommandLine",
          "mapping": {
            "CommandLine": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        }
      }
    }
  }
}

to this ...

{,
        {
          "event_data": {
            "mapping": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            },
            "match_mapping_type": "string",
            "path_match": "event_data.*"
          }
        }

and it seemed to work -

Text field works and I can run full text searches on everything BUT the keyword field is totally empty...

mathurin68 · January 16, 2018, 5:11pm

Alright correction, the field doesn't work in the 'Discover', but I can do aggregations in Visualize???? No idea what I did...

but the field is empty in 'Discover' --

No idea... but appreciate any suggestions.