Osquerybeat: set the raw index name to supress the timestamp suffix

elastic · Jun 28, 2021 · 28e0abf · 28e0abf
1 parent a300f1b
commit 28e0abf
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/x-pack/osquerybeat/beater/osquerybeat.go b/x-pack/osquerybeat/beater/osquerybeat.go
@@ -19,6 +19,7 @@ import (
  "golang.org/x/sync/errgroup"
 
  "github.com/elastic/beats/v7/libbeat/beat"
+ "github.com/elastic/beats/v7/libbeat/beat/events"
  "github.com/elastic/beats/v7/libbeat/common"
  "github.com/elastic/beats/v7/libbeat/logp"
  "github.com/elastic/beats/v7/libbeat/processors"
@@ -430,7 +431,7 @@ func (bt *osquerybeat) publishEvents(index, actionID, responseID string, hits []
  event.Fields["response_id"] = responseID
  }
  if index != "" {
- event.Meta = common.MapStr{"index": index}
+ event.Meta = common.MapStr{events.FieldMetaRawIndex: index}
  }
 
  bt.client.Publish(event)