add multi_fields in aws cloudtrail fileset

A keyword representation of the following fields was stored. Adding text multi_fields so it can be searched more easily. - request_parameters - response_elements - additional_eventdata - service_event_details Closes elastic#18866
leehinman · Jun 5, 2020 · 6bb15ae · 6bb15ae
1 parent 0a669eb
commit 6bb15ae
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -42,6 +42,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 * iptables {pull}18756[18756]
 * Checkpoint {pull}18754[18754]
 - Preserve case of http.request.method.  ECS prior to 1.6 specified normalizing to lowercase, which lost information. Affects filesets: apache/access, elasticsearch/audit, iis/access, iis/error, nginx/access, nginx/ingress_controller, aws/elb, suricata/eve, zeek/http. {issue}18154[18154] {pull}18359[18359]
+- In aws cloudtrail fileset add multi_fields for request_parameters, response_elements, additional_eventdata & service_event_details. {issue}18866[18866] {pull}XXX[XXX]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -1227,6 +1227,13 @@ type: keyword
 
 --
 
+*`aws.cloudtrail.request_parameters.text`*::
++
+--
+type: text
+
+--
+
 *`aws.cloudtrail.response_elements`*::
 +
 --
@@ -1236,6 +1243,13 @@ type: keyword
 
 --
 
+*`aws.cloudtrail.response_elements.text`*::
++
+--
+type: text
+
+--
+
 *`aws.cloudtrail.additional_eventdata`*::
 +
 --
@@ -1245,6 +1259,13 @@ type: keyword
 
 --
 
+*`aws.cloudtrail.additional_eventdata.text`*::
++
+--
+type: text
+
+--
+
 *`aws.cloudtrail.request_id`*::
 +
 --
@@ -1341,6 +1362,13 @@ type: keyword
 
 --
 
+*`aws.cloudtrail.service_event_details.text`*::
++
+--
+type: text
+
+--
+
 *`aws.cloudtrail.shared_event_id`*::
 +
 --

diff --git a/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml b/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml
@@ -90,16 +90,25 @@
       type: keyword
       description: >-
         The parameters, if any, that were sent with the request.
+      multi_fields:
+        - name: text
+          type: text
     - name: response_elements
       type: keyword
       description: >-
         The response element for actions that make changes (create,
         update, or delete actions).
+      multi_fields:
+        - name: text
+          type: text
     - name: additional_eventdata
       type: keyword
       description: >-
         Additional data about the event that was not part of the
         request or response.
+      multi_fields:
+        - name: text
+          type: text
     - name: request_id
       type: keyword
       description: >-
@@ -149,6 +158,9 @@
       description: >-
         Identifies the service event, including what triggered the
         event and the result.
+      multi_fields:
+        - name: text
+          type: text
     - name: shared_event_id
       type: keyword
       description: >-

diff --git a/x-pack/filebeat/module/aws/fields.go b/x-pack/filebeat/module/aws/fields.go