Cisco asa/ftd: Remove _temp_ fields on failure

The shared pipeline for Cisco ASA and FTD creates temporary fields under the _temp_ object. If a failure happens in the middle of the pipeline, all those fields would be indexed, causing the index mapping to grow too big. Fixes elastic#18391
adriansr · May 8, 2020 · c686c13 · c686c13
1 parent c88f07f
commit c686c13
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
@@ -1277,6 +1277,16 @@ processors:
       ignore_missing: true
 
 on_failure:
+  # Copy any fields under _temp_.cisco to its final destination. Those can help
+  # with diagnosing the failure.
+  - rename:
+      field: _temp_.cisco
+      target_field: "cisco.{< .internal_prefix >}"
+      ignore_failure: true
+  # Remove _temp_ to avoid adding a lot of unnecessary fields to the index.
+  - remove:
+      field: _temp_
+      ignore_missing: true
   - append:
       field: "error.message"
       value: "{{ _ingest.on_failure_message }}"