Convert read_timestamp to event.created in Journalbeat#10043
Convert read_timestamp to event.created in Journalbeat#10043ruflin merged 6 commits intoelastic:masterfrom
Conversation
This aligns journalbeat with ECS.
|
@kvch Are there other things need in journalbeat that need alignment with ECS? |
|
I think |
|
Trying also to convert it directly in this PR. Can you check if I picked the correct field? |
| sdjournal.SD_JOURNAL_FIELD_EXE: fieldConversion{"process.executable", false, false}, | ||
| sdjournal.SD_JOURNAL_FIELD_GID: fieldConversion{"process.uid", true, false}, | ||
| sdjournal.SD_JOURNAL_FIELD_HOSTNAME: fieldConversion{"host.name", false, false}, | ||
| sdjournal.SD_JOURNAL_FIELD_HOSTNAME: fieldConversion{"host.hostname", false, false}, |
|
I don't see anything else changed recently. I am curious if you are planning to add |
|
@kvch +1 on making these change too. Could you open a PR for it? |
|
Hm, tests seem to fail because of the changes. I hoped my adjustment works, seems like I need to create a setup. @kvch If you have some hints to get this green, let me know. |
|
The problem is that an empty object is still there with the key The whole key-value "pair" has to be deleted: event.Fields.Delete("event") |
|
@kvch Thanks for investigating. Let's see if CI is happy with it, if not will spin up a Linux environment for testing. |
It was tried to fix this in elastic#10043 but it seems it was not successful as it is still flaky. Skipping it again.
The migration entries went missing there. No alias is used for `host.name` to `host.hostname` as both are existing fields.
This aligns journalbeat with ECS.
This aligns journalbeat with ECS.