Skip to content

Instantly share code, notes, and snippets.

@FrankHassanabad

FrankHassanabad/shadowing_runtimefields.md

Last active June 9, 2021 18:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save FrankHassanabad/7913da9da5dbaed53756d21f1550b2bc to your computer and use it in GitHub Desktop.
Save FrankHassanabad/7913da9da5dbaed53756d21f1550b2bc to your computer and use it in GitHub Desktop.
Download ZIP
Shadowing runtime fields
Raw
shadowing_runtimefields.md 
# Add a mapping of with a text field
DELETE frank-test-delme-6
PUT frank-test-delme-6
{
  "mappings": {
    "dynamic": "strict",
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "fields": {
        "properties": {
          "team": {
            "type": "text"
          }
        }
      }
    }
  }
}
# Change the text field to be a keyword in the signals index
PUT .siem-signals-hassanabad28-default-000001/_mapping
{
  "runtime": {
    "fields.team": {
      "type": "keyword"
    }
  }
}
# Adds the shadow runtime field data type to the signals mapping
PUT .siem-signals-hassanabad28-default-000002/_mapping
{
  "runtime": {
    "fields.team": {
      "type": "keyword"
    }
  }
}
# Add a document with the text value of "frank"
POST frank-test-delme-6/_doc/1
{
  "@timestamp": "2021-06-09T18:02:16.441Z",
  "fields": {
    "team": "frank"
  }
}
# Add a document without any value
POST frank-test-delme-6/_doc/2
{
  "@timestamp": "2021-06-09T18:02:07.101Z"
}
# Add a document with the text value of "infra"
POST frank-test-delme-6/_doc/3
{
  "@timestamp": "2021-06-09T17:59:47.567Z",
  "fields": {
    "team": "infra"
  }
}
# Returns hits with the value as a keyword
GET .siem-signals-hassanabad28-default/_search
{
  "query": {
    "term": {
      "fields.team": {
        "value": "frank"
      }
    }
  }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment