Conver log.syslog.procid to keyword

janvi-elastic · janvi-elastic · commit 6d5111527679 · 2025-07-18T15:44:41.000+05:30
diff --git a/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/journald.yml b/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/journald.yml
@@ -335,6 +335,12 @@ processors:
       tag: set_ecs-version
       field: ecs.version
       value: 8.11.0
+  - convert:
+      tag: convert_procid
+      field: log.syslog.procid
+      type: string
+      ignore_missing: true
+      if: ctx.log?.syslog?.procid != null
   - remove:
       description: Remove the extra fields added by the Journald input
       ignore_missing: true
diff --git a/packages/system/data_stream/auth/sample_event.json b/packages/system/data_stream/auth/sample_event.json
@@ -1,53 +1,53 @@
 {
     "@timestamp": "2023-09-28T10:10:12.175Z",
     "agent": {
-        "ephemeral_id": "dd9836d3-6523-42dd-a41d-2ae39dee4512",
-        "id": "a5c9a90f-3d55-4f2d-9611-0542c1c2e478",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "37b63105-bf8c-40bd-9698-f79cddec37ba",
+        "id": "6eae09dd-ac20-43be-b710-080fcf41b943",
+        "name": "elastic-agent-99126",
         "type": "filebeat",
-        "version": "8.10.3"
+        "version": "8.18.0"
     },
     "data_stream": {
         "dataset": "system.auth",
-        "namespace": "ep",
+        "namespace": "44107",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "a5c9a90f-3d55-4f2d-9611-0542c1c2e478",
+        "id": "6eae09dd-ac20-43be-b710-080fcf41b943",
         "snapshot": false,
-        "version": "8.10.3"
+        "version": "8.18.0"
     },
     "event": {
         "agent_id_status": "verified",
         "dataset": "system.auth",
-        "ingested": "2023-10-23T09:54:41Z",
+        "ingested": "2025-07-18T10:05:01Z",
         "kind": "event",
         "original": "<30>1 2023-09-28T12:10:12.175599+02:00 test.lab.com systemd 153589 - - Stopped target Default.",
         "timezone": "+00:00"
     },
     "host": {
-        "architecture": "aarch64",
-        "containerized": false,
-        "hostname": "docker-fleet-agent",
-        "id": "e68e16d5d74548f1949a49708e59eca0",
+        "architecture": "x86_64",
+        "containerized": true,
+        "hostname": "elastic-agent-99126",
         "ip": [
-            "192.168.112.7"
+            "192.168.240.2",
+            "192.168.253.7"
         ],
         "mac": [
-            "02-42-C0-A8-70-07"
+            "02-42-C0-A8-F0-02",
+            "02-42-C0-A8-FD-07"
         ],
-        "name": "docker-fleet-agent",
+        "name": "elastic-agent-99126",
         "os": {
-            "codename": "focal",
-            "family": "debian",
-            "kernel": "5.15.49-linuxkit-pr",
-            "name": "Ubuntu",
-            "platform": "ubuntu",
+            "family": "",
+            "kernel": "3.10.0-1160.119.1.el7.x86_64",
+            "name": "Wolfi",
+            "platform": "wolfi",
             "type": "linux",
-            "version": "20.04.6 LTS (Focal Fossa)"
+            "version": "20230201"
         }
     },
     "input": {
@@ -75,13 +75,16 @@
         }
     },
     "message": "Stopped target Default.",
+    "process": {
+        "name": "systemd"
+    },
     "related": {
         "hosts": [
-            "docker-fleet-agent"
+            "elastic-agent-99126"
         ]
     },
     "tags": [
         "preserve_original_event",
         "system-auth"
     ]
-}
+}
