From 6d87620c6a8c2b371d706c893abadd99d221c2e3 Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Wed, 22 Mar 2023 11:04:18 -0400
Subject: [PATCH] Explicitly set 'event.dataset' as 'file'

---
 salt/elasticsearch/files/ingest/strelka.file | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file
index fbcf1252a..80063c531 100644
--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -1,6 +1,7 @@
 {
   "description" : "strelka",
   "processors" : [
+    { "set": { "field": "event.dataset", "value": "file" } },
     { "json":           { "field": "message",                        "target_field": "message2",                   "ignore_failure": true  } },
     { "rename":         { "field": "message2.file",        "target_field": "file",          "ignore_missing": true  } },
     { "rename":         { "field": "message2.scan",        "target_field": "scan",          "ignore_missing": true  } },