From 5d86edeed4e1414c0343bc7ed6c3d251b54e33ee Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Wed, 11 Jan 2023 13:57:32 +0000
Subject: [PATCH] Modify Logstash Elastic Agent output to accomodate for events
 with and without 'metadata.pipeline'

---
 .../so/9805_output_elastic_agent.conf.jinja   | 30 ++++++++++++++-----
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja
index ed81d4322..1c770c7b0 100644
--- a/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja
@@ -1,14 +1,28 @@
 output {
   if "elastic-agent" in [tags] and "import" not in [tags] {
-      elasticsearch {
-        hosts => "{{ GLOBALS.manager }}"
-        ecs_compatibility => v8
-        data_stream => true
-        user => "{{ ES_USER }}"
-        password => "{{ ES_PASS }}"
-        ssl => true
-        ssl_certificate_verification => false
+      if [metadata][pipeline] {
+        elasticsearch {
+          hosts => "{{ GLOBALS.manager }}"
+          ecs_compatibility => v8
+          data_stream => true
+          user => "{{ ES_USER }}"
+          password => "{{ ES_PASS }}"
+          pipeline => "%{[metadata][pipeline]}"
+          ssl => true
+          ssl_certificate_verification => false
+        }
       }
+      else {
+        elasticsearch {
+          hosts => "{{ GLOBALS.manager }}"
+          ecs_compatibility => v8
+          data_stream => true
+          user => "{{ ES_USER }}"
+          password => "{{ ES_PASS }}"
+          ssl => true
+          ssl_certificate_verification => false    
+        }
+     }
   }
 }