{"template": { "mappings": { "properties": { "completed_at": { "type": "date" }, "action_response": { "properties": { "osquery": { "properties": { "count": { "type": "long" } } } } }, "@timestamp": { "type": "date" }, "agent_id": { "ignore_above": 1024, "type": "keyword" }, "action_id": { "ignore_above": 1024, "type": "keyword" }, "count": { "type": "long" }, "started_at": { "type": "date" }, "action_input_type": { "ignore_above": 1024, "type": "keyword" }, "error": { "type": "text", "fields": { "keyword": { "ignore_above": 1024, "type": "keyword" } } }, "event": { "properties": { "agent_id_status": { "ignore_above": 1024, "type": "keyword" }, "ingested": { "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", "type": "date" } } }, "action_data": { "properties": { "saved_query_id": { "ignore_above": 1024, "type": "keyword" }, "query": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" }, "ecs_mapping": { "type": "object", "enabled": false }, "platform": { "ignore_above": 1024, "type": "keyword" } } } } } } }