diff --git a/salt/elasticsearch/files/ingest/osquery.query_result b/salt/elasticsearch/files/ingest/osquery.query_result index 5d57d81d9..669cc35e5 100644 --- a/salt/elasticsearch/files/ingest/osquery.query_result +++ b/salt/elasticsearch/files/ingest/osquery.query_result @@ -2,7 +2,7 @@ "description" : "osquery", "processors" : [ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "gsub": { "field": "message2.columns.data", "pattern": "\\\\xC2\\\\xAE", "replacement": "" } }, + { "gsub": { "field": "message2.columns.data", "pattern": "\\\\xC2\\\\xAE", "replacement": "", "ignore_missing": true } }, { "json": { "field": "message2.columns.data", "target_field": "message2.columns.winlog", "ignore_failure": true } }, { "script": { @@ -14,7 +14,7 @@ { "rename": { "field": "osquery.result.calendarTime", "target_field": "osquery.result.calendar_time", "ignore_missing": true } }, { "rename": { "field": "osquery.result.unixTime", "target_field": "osquery.result.unix_time", "ignore_missing": true } }, { "json": { "field": "message", "target_field": "message3", "ignore_failure": true } }, - { "gsub": { "field": "message3.columns.data", "pattern": "\\\\xC2\\\\xAE", "replacement": "" } }, + { "gsub": { "field": "message3.columns.data", "pattern": "\\\\xC2\\\\xAE", "replacement": "", "ignore_missing": true } }, { "json": { "field": "message3.columns.data", "target_field": "message3.columns.winlog", "ignore_failure": true } }, { "rename": { "field": "message3.columns.username", "target_field": "user.name", "ignore_missing": true } }, { "rename": { "field": "message3.columns.uid", "target_field": "user.uid", "ignore_missing": true } },