elastic · adriansr · Mar 3, 2020 · Jan 17, 2020
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -17,6 +17,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Auditbeat*
 
+- File integrity dataset (macOS): Replace unnecessary `file.origin.raw` (type keyword) with `file.origin.text` (type `text`). {issue}12423[12423] {pull}15630[15630]
 
 *Filebeat*
 

diff --git a/auditbeat/_meta/fields.common.yml b/auditbeat/_meta/fields.common.yml
@@ -26,11 +26,11 @@
           supported in macOS, via the kMDItemWhereFroms attribute.
           Omitted if origin information is not available.
       multi_fields:
-      - name: raw
-        type: keyword
+      - name: text
+        type: text
         description: >
-          This is a non-analyzed field that is useful for aggregations on the
-          origin data.
+          This is an analyzed field that is useful for full text search
+          on the origin data.
 
     - name: selinux
       type: group

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -2645,13 +2645,13 @@ type: keyword
 
 --
 
-*`file.origin.raw`*::
+*`file.origin.text`*::
 +
 --
-This is a non-analyzed field that is useful for aggregations on the origin data.
+This is an analyzed field that is useful for full text search on the origin data.
 
 
-type: keyword
+type: text
 
 --
 

diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go