-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Auditbeat] file.origin and file.origin.raw multi-fields are both keyword #12423
Comments
Pinging @elastic/siem (Team:SIEM) |
adriansr
added a commit
to adriansr/beats
that referenced
this issue
Mar 2, 2020
The `raw` part of the multifield was unnecessary because it was keyword like the base field. Replaced with `file.origin.text` of type text as ECS recommends. Fixes elastic#12423
adriansr
added a commit
that referenced
this issue
Mar 3, 2020
) The `raw` part of the multifield was unnecessary because it was keyword like the base field. Replaced with `file.origin.text` of type text as ECS recommends. Fixes #12423
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As of #10544 both
file.origin
andfile.origin.raw
are bothkeyword
type. The idea behind having a multi-field is to allow one of the fields to be analyzed to help with searching.To fix the issue we should remove
file.origin.raw
and addfile.origin.text
that istext
. This would follow the ECS convention.The text was updated successfully, but these errors were encountered: