From 6332509a335628b562e12aecb6ae8d8f70ab5c13 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 15 Apr 2020 20:22:54 -0400 Subject: [PATCH] osquery pipeline fix --- salt/elasticsearch/files/ingest/osquery.query_result | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/ingest/osquery.query_result b/salt/elasticsearch/files/ingest/osquery.query_result index 5d57d81d9..669cc35e5 100644 --- a/salt/elasticsearch/files/ingest/osquery.query_result +++ b/salt/elasticsearch/files/ingest/osquery.query_result @@ -2,7 +2,7 @@ "description" : "osquery", "processors" : [ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "gsub": { "field": "message2.columns.data", "pattern": "\\\\xC2\\\\xAE", "replacement": "" } }, + { "gsub": { "field": "message2.columns.data", "pattern": "\\\\xC2\\\\xAE", "replacement": "", "ignore_missing": true } }, { "json": { "field": "message2.columns.data", "target_field": "message2.columns.winlog", "ignore_failure": true } }, { "script": { @@ -14,7 +14,7 @@ { "rename": { "field": "osquery.result.calendarTime", "target_field": "osquery.result.calendar_time", "ignore_missing": true } }, { "rename": { "field": "osquery.result.unixTime", "target_field": "osquery.result.unix_time", "ignore_missing": true } }, { "json": { "field": "message", "target_field": "message3", "ignore_failure": true } }, - { "gsub": { "field": "message3.columns.data", "pattern": "\\\\xC2\\\\xAE", "replacement": "" } }, + { "gsub": { "field": "message3.columns.data", "pattern": "\\\\xC2\\\\xAE", "replacement": "", "ignore_missing": true } }, { "json": { "field": "message3.columns.data", "target_field": "message3.columns.winlog", "ignore_failure": true } }, { "rename": { "field": "message3.columns.username", "target_field": "user.name", "ignore_missing": true } }, { "rename": { "field": "message3.columns.uid", "target_field": "user.uid", "ignore_missing": true } },