beats icon indicating copy to clipboard operation
beats copied to clipboard

Published 20 hours ago verified publisher icon elastic

Add checks to "RENAME X to event.original" processors across Filebeat module pipelines

Open rseldner opened this issue 11 months ago • 0 comments

Describe the enhancement: Update filebeat module pipelines to include a conditional check for the existence of event.original

Describe a specific use case for the enhancement or feature:

When renaming a field to event.original, it appears the ingest pipelines for filebeat modules generally do not take into account whether event.original already exists, which can occur when using Logstash. This can result in "field [event.original] already exists" errors.

This has been addressed in elastic agent integrations' pipelines by including a conditional check:
if: ctx.event?.original == null PR: https://github.com/elastic/integrations/issues/7822

It would be nice to implement the same logic in the filebeat ingest pipelines.

Example:

Filebeat IIS Module IIS Integration 
- rename:
    field: message
    target_field: event.original
 
- rename:
    field: message
    target_field: event.original
    ignore_missing: true
    if: 'ctx.event?.original == null'

rseldner avatar Mar 07 '24 19:03 rseldner