From 08557ae2875ff6fb8959bd28573394acede60a6b Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Tue, 11 Jun 2024 11:01:34 -0400
Subject: [PATCH] kafka.id field should only be present when metadata for kafka
 exists

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
---
 salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
index a17b3a17a..899ec0c64 100644
--- a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
+++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
@@ -84,7 +84,7 @@
     { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true }  },
     { "set":        { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } },
     { "rename":        { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } },
-    { "set":        { "field": "kafka.id", "value": "{{metadata.kafka.partition}}-{{metadata.kafka.offset}}-{{metadata.kafka.timestamp}}", "ignore_failure": true } },
+    { "set":        { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}-{{metadata.kafka.offset}}-{{metadata.kafka.timestamp}}", "ignore_failure": true } },
     { "remove":     { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } 
   ],
   "on_failure": [