Bests preserve original format #20774
Labels
Comments
botelastic
bot
added
the
needs_team
|
Pinging @elastic/siem (Team:SIEM) |
marc-gr
added
enhancement
and removed
needs_team
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the enhancement:
Add a flag into various parsers to keep original formatting vs moving fields to the ECS format.
Describe a specific use case for the enhancement or feature:
Sometimes it is needed to keep the original event in an an unaltered state for compliance reasons.
#18526
This parser is great and very helpful for search and detection, but sometimes the original event is needed to be preserved. Please add a flag to preserve original event fields without requiring the full raw event to be stored in event.original.
The text was updated successfully, but these errors were encountered: