[Auditbeat] file.origin and file.origin.raw multi-fields are both keyword #12423
Comments
|
Pinging @elastic/siem (Team:SIEM) |
adriansr
added a commit
to adriansr/beats
that referenced
this issue
Mar 2, 2020
The `raw` part of the multifield was unnecessary because it was keyword like the base field. Replaced with `file.origin.text` of type text as ECS recommends. Fixes elastic#12423
adriansr
added a commit
that referenced
this issue
Mar 3, 2020
) The `raw` part of the multifield was unnecessary because it was keyword like the base field. Replaced with `file.origin.text` of type text as ECS recommends. Fixes #12423
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As of #10544 both
file.originandfile.origin.raware bothkeywordtype. The idea behind having a multi-field is to allow one of the fields to be analyzed to help with searching.To fix the issue we should remove
file.origin.rawand addfile.origin.textthat istext. This would follow the ECS convention.The text was updated successfully, but these errors were encountered: