Azure Event Hub Activity logs and Sign-in logs throws a mapper_parsing_exception.
Beats version: 7.17.1
Activity Logs
{\"type\":\"mapper_parsing_exception\",\"reason\":\"object mapping for [azure.activitylogs.identity] tried to parse field [identity] as object, but found a concrete value\"}, dropping event!","[service.name](https://service.name/)":"filebeat","ecs.version":"1.6.0"}
Sign-in Logs:
{\"type\":\"mapper_parsing_exception\",\"reason\":\"failed to parse field [azure.signinlogs.properties.authentication_requirement_policies] of type [keyword] in document with id 'CCydc38BLuj6TRb2fee_'. Preview of field's value: '{detail=Conditional Access, requirement_provider=multiConditionalAccess}'\",\"caused_by\":{\"type\":\"illegal_state_exception\",\"reason\":\"Can't get text on a START_OBJECT at 1:2526\"}}, dropping event!","[service.name](https://service.name/)":"filebeat","ecs.version":"1.6.0"}
The majority of the logs have not been parsed correctly and are showing all the event data in the message field with no parsing done. There are a very small number of logs that have been parsed, and displays the correct and expected fields.
When doing a field name search in Discover, only the following fields are returned:
Azure Event Hub Activity logs and Sign-in logs throws a
mapper_parsing_exception.Beats version:
7.17.1Activity Logs
Sign-in Logs:
The majority of the logs have not been parsed correctly and are showing all the event data in the message field with no parsing done. There are a very small number of logs that have been parsed, and displays the correct and expected fields.
When doing a field name search in Discover, only the following fields are returned:
