fix osquery action_data mapping conflict

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
2025-12-15 21:52:47 +01:00 · 2025-03-07 17:05:13 -06:00
parent 6a5377ceac
commit 4dd72ad15c
2 changed files with 50 additions and 1 deletions
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json
@@ -0,0 +1,49 @@
+{
+  "template": {
+    "mappings": {
+      "dynamic_templates": [
+        {
+          "action_data.ecs_mapping": {
+            "path_match": "action_data.ecs_mapping.*",
+            "mapping": {
+              "type": "keyword"
+            },
+            "match_mapping_type": "string"
+          }
+        }
+      ],
+      "properties": {
+        "action_data": {
+          "dynamic": true,
+          "type": "object",
+          "properties": {
+            "ecs_mapping": {
+              "dynamic": true,
+              "type": "object"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "platform": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "query": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "saved_query_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}