From 4dd72ad15c54254f6dece22f80faaf6a01ebc6e8 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Fri, 7 Mar 2025 17:05:13 -0600
Subject: [PATCH] fix osquery action_data mapping conflict

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
---
 salt/elasticsearch/defaults.yaml              |  2 +-
 .../logs-osquery_manager.result@custom.json   | 49 +++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json

diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml
index 02e2f7ccb..7b38ed0bb 100644
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -2742,7 +2742,7 @@ elasticsearch:
         - logs-osquery_manager.actions
         ignore_missing_component_templates: []
         index_patterns:
-        - .logs-osquery_manager.actions*
+        - .logs-osquery_manager.actions-*
         priority: 501
         template:
           settings:
diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json
new file mode 100644
index 000000000..83a68c814
--- /dev/null
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json
@@ -0,0 +1,49 @@
+{
+  "template": {
+    "mappings": {
+      "dynamic_templates": [
+        {
+          "action_data.ecs_mapping": {
+            "path_match": "action_data.ecs_mapping.*",
+            "mapping": {
+              "type": "keyword"
+            },
+            "match_mapping_type": "string"
+          }
+        }
+      ],
+      "properties": {
+        "action_data": {
+          "dynamic": true,
+          "type": "object",
+          "properties": {
+            "ecs_mapping": {
+              "dynamic": true,
+              "type": "object"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "platform": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "query": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "saved_query_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file