[Winlogbeat] Fix duplicated type entry#10373
Conversation
The type entry was duplicated and had text and keyword. No changed to keyword only.
|
|
||
| - name: xml | ||
| type: keyword | ||
| type: text |
There was a problem hiding this comment.
@andrewkroh Not sure which one was the original intention.
There was a problem hiding this comment.
It was text because the value is very long and similar to message. If you change it to keyword then ignore_above needs to be increased from our default.
There was a problem hiding this comment.
If full text indexing is deemed important here, we should add it as a multi-field at eventlog.xml.text.
Increasing ignore_above wouldn't help much, I would think.
There was a problem hiding this comment.
I'm also good with keeping this as text (I think at the moment it is text because yaml takes the last definition). I don't really see how this field would be used for aggregations or exact match queries.
|
|
||
| - name: xml | ||
| type: keyword | ||
| type: text |
There was a problem hiding this comment.
If full text indexing is deemed important here, we should add it as a multi-field at eventlog.xml.text.
Increasing ignore_above wouldn't help much, I would think.
|
I changed this back to text as I think this is really a field that will not be used as keyword and should be text only. So overall this PR is now mainly a cleanup of the fields.yml removing the duplicated entry. |
|
Merged for now as this is now only a code cleanup. We can continue the discussion here or on the other Winlogbeat PR if needed. |
The type entry was duplicated and had text and keyword. Now changed to keyword only.