From d4f7a07f857d9bd9461ff38c4de19e28c07eb9aa Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 18 Aug 2020 15:54:11 -0400
Subject: [PATCH] Osquery Parsing fix

---
 salt/elasticsearch/files/ingest/osquery.query_result | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/elasticsearch/files/ingest/osquery.query_result b/salt/elasticsearch/files/ingest/osquery.query_result
index 2005252b6..3a6ed15a3 100644
--- a/salt/elasticsearch/files/ingest/osquery.query_result
+++ b/salt/elasticsearch/files/ingest/osquery.query_result
@@ -18,8 +18,8 @@
         "source": "def dict = ['result': new HashMap()]; for (entry in ctx['message2'].entrySet()) { dict['result'][entry.getKey()] = entry.getValue(); } ctx['osquery'] = dict; "
       }
     },
-    { "set":           { "field": "event.module", "value": "osquery" }  },
-    { "set":           { "field": "event.dataset", "value": "{{osquery.result.name}}"}  },
+    { "set":           { "field": "event.module", "value": "osquery", "override": false }  },
+    { "set":           { "field": "event.dataset", "value": "{{osquery.result.name}}", "override": false}  },
     { "pipeline":    { "name": "common" } }
   ]
 }
\ No newline at end of file