roaksoax
commented
1 year ago Currently blocked on https://github.com/elastic/ingest-dev/issues/1792
Closed roaksoax closed 12 months ago
roaksoax
commented
1 year ago Currently blocked on https://github.com/elastic/ingest-dev/issues/1792
roaksoax
commented
1 year ago In the latest version (starting from 0.0.2), we should not need to remove the @version field.
andsel
commented
1 year ago In the latest version (starting from 0.0.2), we should not need to remove the @version field.
I uses version 0.0.3 and not @version field was present in Logstash event, so no need to delete it.
roaksoax
commented
12 months ago Closing this issue as this is no longer a problem after https://github.com/elastic/ingest-dev/issues/1792 has been fixed and released.
On a recent test of the m365_defender integration (slack thread), the user had to do to things that would make it appear that this feature of Logstash doesn't work out of the box.
The first, he needed to remove the @version field on the integration.
And the second, is that he needed to set the _document_id_ field to the Elasticsearch Output, so that he wouldn't receive duplicate events.
The user had to do this because Logstash doesn't passthrough some metadata fields, and the issue has an RFC / potential solution.
However, this currently would cause users to try to use various integrations out of the box, and things would not work as expected, or would require them to add/remove fields/settings. This creates a barrier of entry and complicates the use of Logstash, specially, if multiple integrations were used that would require various use cases to be handled.
As such, at the very least, we need to identify and document the following: