Wrong ML Job query packetbeat_rare_user_agent or missing event.dataset in network traffic data?

willemdh · April 18, 2025, 1:19pm

Hello,

The query of the managed machine learning job packetbeat_rare_user_agent doesn't match with any documents. It seems like event.dataset is not in the logs-network_traffic.http-* datastream?

{"bool":{"filter":[{"term":{"agent.type":"packetbeat"}}],"should":[{"term":{"event.dataset":"http"}},{"term":{"event.dataset":"network_traffic.http"}}],"minimum_should_match":1,"must_not":[{"wildcard":{"user_agent.original":{"value":"Mozilla*"}}}]}}

Changed the to "event.dataset" to "data_stream.dataset" and it works.

Willem

RylandHerrick · April 29, 2025, 6:44pm

@willemdh your assessment looks accurate, here: some of our newer integrations are populating data_stream.dataset instead of the earlier event.dataset, and our ML Jobs have not been updated to capture those data.

The team has filed an issue to track/update the ML job queries, but your workaround should also suffice in the interim: changing either the query or the data should address the issue.

willemdh · April 29, 2025, 6:56pm

Thanks @RylandHerrick !

system · May 27, 2025, 6:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Machine learning and firewall logs Elasticsearch elastic-stack-machine-learning	11	3700	June 18, 2017
Prebuilt ML jobs fail SIEM elastic-stack-machine-learning	10	674	May 18, 2020
Packetbeat Rare DNS Questions ML Job Customization SIEM elastic-stack-machine-learning	7	830	October 27, 2020
ML Datafeed lookback retrieved no data Elasticsearch elastic-stack-machine-learning	10	2512	April 17, 2018
Error creating Machine Learning job Elasticsearch elastic-stack-machine-learning	17	3814	June 27, 2017

Wrong ML Job query packetbeat_rare_user_agent or missing event.dataset in network traffic data?

Related topics