Skip to content

Commit

Permalink
[Auditbeat] macOS: Replace file.origin.raw with file.origin.text
Browse files Browse the repository at this point in the history
The `raw` part of the multifield was unnecessary because it was keyword
like the base field. Replaced with `file.origin.text` of type text as
ECS recommends.

Fixes elastic#12423
  • Loading branch information
adriansr committed Mar 2, 2020
1 parent e935b26 commit e36d635
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 8 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

*Auditbeat*

- File integrity dataset (macOS): Replace unnecessary `file.origin.raw` (type keyword) with `file.origin.text` (type `text`). {issue}12423[12423] {pull}15630[15630]

*Filebeat*

Expand Down
8 changes: 4 additions & 4 deletions auditbeat/_meta/fields.common.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,11 @@
supported in macOS, via the kMDItemWhereFroms attribute.
Omitted if origin information is not available.
multi_fields:
- name: raw
type: keyword
- name: text
type: text
description: >
This is a non-analyzed field that is useful for aggregations on the
origin data.
This is an analyzed field that is useful for full text search
on the origin data.
- name: selinux
type: group
Expand Down
6 changes: 3 additions & 3 deletions auditbeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -2645,13 +2645,13 @@ type: keyword
--
*`file.origin.raw`*::
*`file.origin.text`*::
+
--
This is a non-analyzed field that is useful for aggregations on the origin data.
This is an analyzed field that is useful for full text search on the origin data.
type: keyword
type: text
--
Expand Down
2 changes: 1 addition & 1 deletion auditbeat/include/fields.go

Large diffs are not rendered by default.

0 comments on commit e36d635

Please sign in to comment.