I'm currently creating an index template per dataset, which includes both component templates.
For example, index template logs-endpoint.alerts-<customer>.<class> includes both component templates logs-endpoint.alerts@package and logs-endpoint.alerts@custom.
I've had some errors while adding and I've been going through the integration documentation for Endpoint and there's something I believe is incomplete.
For the data type logs, according to the documentation, we have the following datasets:
alerts
file
network
...
What I see in my Elastic cluster though, is that the index templates and their index patterns are not exactly like this. They're more like:
alerts -> alerts
file -> events.file
library -> events.library
network -> events.network
...
It also seems events.api is missing here as well.
I think an update of the documentation is needed here to show the real datasets used here.
I'm currently creating an index template per dataset, which includes both component templates.
For example, index template
logs-endpoint.alerts-<customer>.<class>includes both component templateslogs-endpoint.alerts@packageandlogs-endpoint.alerts@custom.I've had some errors while adding and I've been going through the integration documentation for Endpoint and there's something I believe is incomplete.
For the data type
logs, according to the documentation, we have the following datasets:alertsfilenetwork...
What I see in my Elastic cluster though, is that the index templates and their index patterns are not exactly like this. They're more like:
alerts->alertsfile->events.filelibrary->events.librarynetwork->events.network...
It also seems
events.apiis missing here as well.I think an update of the documentation is needed here to show the real datasets used here.