Stream<\/a><\/p>\n\n\n\nConfiguring Filebeat 8 to Write Logs to Specific Index<\/h3>\n\n\n\n Now, as already mentioned, If you frequently update or delete existing time series data, use an index alias with a write index instead of a data stream.<\/p>\n\n\n\n
[Optional] Create Index Lifecycle Management Policy<\/h4>\n\n\n\n This step is optional<\/strong>, but if you want to control the lifecycle tasks of your indices such as creation, deletion, rollover to new phases etc, ILM policies come in very handy. You can manage the ILM policies on Kibana<\/strong> under Stack Management<\/strong> > Data<\/strong> > Index Lifecycle Policies<\/strong>.<\/p>\n\n\n\nSo, for the purposes of demonstration, let’s create a custom ILM policy to apply to our custom index. Thus;<\/p>\n\n\n\n
\nNavigate to Kibana > Stack Management > Data > Index Lifecycle Policies > Create Policy<\/strong>.<\/li>\n\n\n\nEnter the name of the policy, for example, demo<\/strong> in our example.<\/li>\n\n\n\nConfigure the policy phases;\n\nHot Phase<\/strong>: Can be used to store Most<\/strong> recent and most frequently searched data. This phase is Required<\/strong>.<\/li>\n\n\n\nWarm Phase<\/strong>: Stores the data that you are still likely to search it, but infrequently need to update it.<\/li>\n\n\n\nCold Phase<\/strong>: Stores the data that you less often search and don\u2019t need to update it.<\/li>\n\n\n\nDelete Phase<\/strong>: At this phase, you can delete data you no longer need.<\/li>\n<\/ul>\n<\/li>\n\n\n\nNote that you can jump straight into delete phase after each phase by clicking the trash<\/strong> icon.<\/li>\n<\/ul>\n\n\n\nHere is a screenshot of our ILM policy configuration. Note that the values we have here are for demonstration purposes.<\/p>\n\n\n\n
Hot Phase<\/p>\n\n\n\n
\nEnsure Rollover<\/strong> is enabled<\/li>\n<\/ul>\n\n\n\nWarm, cold, phases;<\/p>\n\n\n\nCreate a policy that suits your needs!<\/p>\n\n\n\n
You can always verify your policy with API command. Replace the index pattern accordingly.<\/p>\n\n\n\n
GET <INDEX>-*\/_ilm\/explain<\/code><\/pre>\n\n\n\nCreate Component Index Template<\/h4>\n\n\n\n Component index template defines mappings, settings, and aliases that can be used while creating index templates.<\/p>\n\n\n\n
We will use the default component index templates in this guide.<\/p>\n\n\n\n
Create\/Bootstrap Index Template<\/h4>\n\n\n\n An index template on the other hand is a template that is used to define specific settings for a specific index. Index templates can contain settings and mappings that are defined in component templates, as well as settings and mappings that are specific to the index.<\/p>\n\n\n\n
So, let’s create our own custom index template.<\/p>\n\n\n\n
Navigate to Kibana > Stack Management > Data > Index Management > Index Templates<\/strong>.<\/p>\n\n\n\nNote that I have this default Filebeat index template created already automatically by other Filebeats sending data to my Elasticsearch. So, to make life easier, let’s clone an existing Filebeat index template and modify it to suit our needs.<\/p>\n\n\n\n
If you want, this is the JSON config of the index template used in this demo.<\/p>\n\n\n\n
\nPUT _index_template\/demo\n{\n \"template\": {\n \"settings\": {\n \"index\": {\n \"lifecycle\": {\n \"name\": \"demo\",\n \"rollover_alias\": \"demo\"\n },\n \"mapping\": {\n \"total_fields\": {\n \"limit\": \"10000\"\n }\n },\n \"refresh_interval\": \"5s\",\n \"number_of_shards\": \"1\",\n \"max_docvalue_fields_search\": \"200\",\n \"query\": {\n \"default_field\": [\n \"message\",\n \"tags\",\n \"agent.ephemeral_id\",\n \"agent.id\",\n \"agent.name\",\n \"agent.type\",\n \"agent.version\",\n \"as.organization.name\",\n \"client.address\",\n \"client.as.organization.name\",\n \"client.domain\",\n \"client.geo.city_name\",\n \"client.geo.continent_name\",\n \"client.geo.country_iso_code\",\n \"client.geo.country_name\",\n \"client.geo.name\",\n \"client.geo.region_iso_code\",\n \"client.geo.region_name\",\n \"client.mac\",\n \"client.registered_domain\",\n \"client.top_level_domain\",\n \"client.user.domain\",\n \"client.user.email\",\n \"client.user.full_name\",\n \"client.user.group.domain\",\n \"client.user.group.id\",\n \"client.user.group.name\",\n \"client.user.hash\",\n \"client.user.id\",\n \"client.user.name\",\n \"cloud.account.id\",\n \"cloud.availability_zone\",\n \"cloud.instance.id\",\n \"cloud.instance.name\",\n \"cloud.machine.type\",\n \"cloud.provider\",\n \"cloud.region\",\n \"container.id\",\n \"container.image.name\",\n \"container.image.tag\",\n \"container.name\",\n \"container.runtime\",\n \"destination.address\",\n \"destination.as.organization.name\",\n \"destination.domain\",\n \"destination.geo.city_name\",\n \"destination.geo.continent_name\",\n \"destination.geo.country_iso_code\",\n \"destination.geo.country_name\",\n \"destination.geo.name\",\n \"destination.geo.region_iso_code\",\n \"destination.geo.region_name\",\n \"destination.mac\",\n \"destination.registered_domain\",\n \"destination.top_level_domain\",\n \"destination.user.domain\",\n \"destination.user.email\",\n \"destination.user.full_name\",\n \"destination.user.group.domain\",\n \"destination.user.group.id\",\n \"destination.user.group.name\",\n \"destination.user.hash\",\n \"destination.user.id\",\n \"destination.user.name\",\n \"dns.answers.class\",\n \"dns.answers.data\",\n \"dns.answers.name\",\n \"dns.answers.type\",\n \"dns.header_flags\",\n \"dns.id\",\n \"dns.op_code\",\n \"dns.question.class\",\n \"dns.question.name\",\n \"dns.question.registered_domain\",\n \"dns.question.subdomain\",\n \"dns.question.top_level_domain\",\n \"dns.question.type\",\n \"dns.response_code\",\n \"dns.type\",\n \"ecs.version\",\n \"error.code\",\n \"error.id\",\n \"error.message\",\n \"error.stack_trace\",\n \"error.type\",\n \"event.action\",\n \"event.category\",\n \"event.code\",\n \"event.dataset\",\n \"event.hash\",\n \"event.id\",\n \"event.kind\",\n \"event.module\",\n \"event.outcome\",\n \"event.provider\",\n \"event.timezone\",\n \"event.type\",\n \"file.device\",\n \"file.directory\",\n \"file.extension\",\n \"file.gid\",\n \"file.group\",\n \"file.hash.md5\",\n \"file.hash.sha1\",\n \"file.hash.sha256\",\n \"file.hash.sha512\",\n \"file.inode\",\n \"file.mode\",\n \"file.name\",\n \"file.owner\",\n \"file.path\",\n \"file.target_path\",\n \"file.type\",\n \"file.uid\",\n \"geo.city_name\",\n \"geo.continent_name\",\n \"geo.country_iso_code\",\n \"geo.country_name\",\n \"geo.name\",\n \"geo.region_iso_code\",\n \"geo.region_name\",\n \"group.domain\",\n \"group.id\",\n \"group.name\",\n \"hash.md5\",\n \"hash.sha1\",\n \"hash.sha256\",\n \"hash.sha512\",\n \"host.architecture\",\n \"host.geo.city_name\",\n \"host.geo.continent_name\",\n \"host.geo.country_iso_code\",\n \"host.geo.country_name\",\n \"host.geo.name\",\n \"host.geo.region_iso_code\",\n \"host.geo.region_name\",\n \"host.hostname\",\n \"host.id\",\n \"host.mac\",\n \"host.name\",\n \"host.os.family\",\n \"host.os.full\",\n \"host.os.kernel\",\n \"host.os.name\",\n \"host.os.platform\",\n \"host.os.version\",\n \"host.type\",\n \"http.request.body.content\",\n \"http.request.method\",\n \"http.request.referrer\",\n \"http.response.body.content\",\n \"http.version\",\n \"log.level\",\n \"log.logger\",\n \"log.origin.file.name\",\n \"log.origin.function\",\n \"log.syslog.facility.name\",\n \"log.syslog.severity.name\",\n \"network.application\",\n \"network.community_id\",\n \"network.direction\",\n \"network.iana_number\",\n \"network.name\",\n \"network.protocol\",\n \"network.transport\",\n \"network.type\",\n \"observer.geo.city_name\",\n \"observer.geo.continent_name\",\n \"observer.geo.country_iso_code\",\n \"observer.geo.country_name\",\n \"observer.geo.name\",\n \"observer.geo.region_iso_code\",\n \"observer.geo.region_name\",\n \"observer.hostname\",\n \"observer.mac\",\n \"observer.name\",\n \"observer.os.family\",\n \"observer.os.full\",\n \"observer.os.kernel\",\n \"observer.os.name\",\n \"observer.os.platform\",\n \"observer.os.version\",\n \"observer.product\",\n \"observer.serial_number\",\n \"observer.type\",\n \"observer.vendor\",\n \"observer.version\",\n \"organization.id\",\n \"organization.name\",\n \"os.family\",\n \"os.full\",\n \"os.kernel\",\n \"os.name\",\n \"os.platform\",\n \"os.version\",\n \"package.architecture\",\n \"package.checksum\",\n \"package.description\",\n \"package.install_scope\",\n \"package.license\",\n \"package.name\",\n \"package.path\",\n \"package.version\",\n \"process.args\",\n \"process.executable\",\n \"process.hash.md5\",\n \"process.hash.sha1\",\n \"process.hash.sha256\",\n \"process.hash.sha512\",\n \"process.name\",\n \"process.thread.name\",\n \"process.title\",\n \"process.working_directory\",\n \"server.address\",\n \"server.as.organization.name\",\n \"server.domain\",\n \"server.geo.city_name\",\n \"server.geo.continent_name\",\n \"server.geo.country_iso_code\",\n \"server.geo.country_name\",\n \"server.geo.name\",\n \"server.geo.region_iso_code\",\n \"server.geo.region_name\",\n \"server.mac\",\n \"server.registered_domain\",\n \"server.top_level_domain\",\n \"server.user.domain\",\n \"server.user.email\",\n \"server.user.full_name\",\n \"server.user.group.domain\",\n \"server.user.group.id\",\n \"server.user.group.name\",\n \"server.user.hash\",\n \"server.user.id\",\n \"server.user.name\",\n \"service.ephemeral_id\",\n \"service.id\",\n \"service.name\",\n \"service.node.name\",\n \"service.state\",\n \"service.type\",\n \"service.version\",\n \"source.address\",\n \"source.as.organization.name\",\n \"source.domain\",\n \"source.geo.city_name\",\n \"source.geo.continent_name\",\n \"source.geo.country_iso_code\",\n \"source.geo.country_name\",\n \"source.geo.name\",\n \"source.geo.region_iso_code\",\n \"source.geo.region_name\",\n \"source.mac\",\n \"source.registered_domain\",\n \"source.top_level_domain\",\n \"source.user.domain\",\n \"source.user.email\",\n \"source.user.full_name\",\n \"source.user.group.domain\",\n \"source.user.group.id\",\n \"source.user.group.name\",\n \"source.user.hash\",\n \"source.user.id\",\n \"source.user.name\",\n \"threat.framework\",\n \"threat.tactic.id\",\n \"threat.tactic.name\",\n \"threat.tactic.reference\",\n \"threat.technique.id\",\n \"threat.technique.name\",\n \"threat.technique.reference\",\n \"trace.id\",\n \"transaction.id\",\n \"url.domain\",\n \"url.extension\",\n \"url.fragment\",\n \"url.full\",\n \"url.original\",\n \"url.password\",\n \"url.path\",\n \"url.query\",\n \"url.registered_domain\",\n \"url.scheme\",\n \"url.top_level_domain\",\n \"url.username\",\n \"user.domain\",\n \"user.email\",\n \"user.full_name\",\n \"user.group.domain\",\n \"user.group.id\",\n \"user.group.name\",\n \"user.hash\",\n \"user.id\",\n \"user.name\",\n \"user_agent.device.name\",\n \"user_agent.name\",\n \"user_agent.original.text\",\n \"user_agent.original\",\n \"user_agent.os.family\",\n \"user_agent.os.full\",\n \"user_agent.os.kernel\",\n \"user_agent.os.name\",\n \"user_agent.os.platform\",\n \"user_agent.os.version\",\n \"user_agent.version\",\n \"cloud.image.id\",\n \"host.os.build\",\n \"host.os.codename\",\n \"kubernetes.pod.name\",\n \"kubernetes.pod.uid\",\n \"kubernetes.namespace\",\n \"kubernetes.node.name\",\n \"kubernetes.node.hostname\",\n \"kubernetes.replicaset.name\",\n \"kubernetes.deployment.name\",\n \"kubernetes.statefulset.name\",\n \"kubernetes.container.name\",\n \"process.owner.id\",\n \"process.owner.name.text\",\n \"process.owner.name\",\n \"jolokia.agent.version\",\n \"jolokia.agent.id\",\n \"jolokia.server.product\",\n \"jolokia.server.version\",\n \"jolokia.server.vendor\",\n \"jolokia.url\",\n \"awscloudwatch.log_group\",\n \"awscloudwatch.log_stream\",\n \"awscloudwatch.ingestion_time\",\n \"aws.cloudwatch.log_group\",\n \"aws.cloudwatch.log_stream\",\n \"aws.cloudwatch.ingestion_time\",\n \"bucket.name\",\n \"bucket.arn\",\n \"object.key\",\n \"fields.*\"\n ]\n }\n }\n },\n \"mappings\": {\n \"_meta\": {\n \"beat\": \"filebeat\",\n \"version\": \"8.8.1\"\n },\n \"date_detection\": false,\n \"dynamic_templates\": [\n {\n \"labels\": {\n \"path_match\": \"labels.*\",\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\"\n }\n },\n {\n \"container.labels\": {\n \"path_match\": \"container.labels.*\",\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\"\n }\n },\n {\n \"fields\": {\n \"path_match\": \"fields.*\",\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\"\n }\n },\n {\n \"docker.container.labels\": {\n \"path_match\": \"docker.container.labels.*\",\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\"\n }\n },\n {\n \"kubernetes.labels.*\": {\n \"path_match\": \"kubernetes.labels.*\",\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"*\"\n }\n },\n {\n \"kubernetes.annotations.*\": {\n \"path_match\": \"kubernetes.annotations.*\",\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"*\"\n }\n },\n {\n \"kubernetes.selectors.*\": {\n \"path_match\": \"kubernetes.selectors.*\",\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"*\"\n }\n },\n {\n \"docker.attrs\": {\n \"path_match\": \"docker.attrs.*\",\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\"\n }\n },\n {\n \"azure.activitylogs.identity.claims.*\": {\n \"path_match\": \"azure.activitylogs.identity.claims.*\",\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"*\"\n }\n },\n {\n \"kibana.log.meta\": {\n \"path_match\": \"kibana.log.meta.*\",\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\"\n }\n },\n {\n \"strings_as_keyword\": {\n \"mapping\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\"\n }\n }\n ],\n \"properties\": {\n \"@timestamp\": {\n \"type\": \"date\"\n },\n \"activemq\": {\n \"type\": \"object\",\n \"properties\": {\n \"caller\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log\": {\n \"type\": \"object\",\n \"properties\": {\n \"stack_trace\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"thread\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"agent\": {\n \"type\": \"object\",\n \"properties\": {\n \"build\": {\n \"type\": \"object\",\n \"properties\": {\n \"original\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"ephemeral_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hostname\": {\n \"path\": \"agent.name\",\n \"type\": \"alias\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"apache\": {\n \"type\": \"object\",\n \"properties\": {\n \"access\": {\n \"type\": \"object\",\n \"properties\": {\n \"ssl\": {\n \"type\": \"object\",\n \"properties\": {\n \"cipher\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"error\": {\n \"type\": \"object\",\n \"properties\": {\n \"module\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"as\": {\n \"type\": \"object\",\n \"properties\": {\n \"number\": {\n \"type\": \"long\"\n },\n \"organization\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n }\n }\n }\n }\n },\n \"auditd\": {\n \"type\": \"object\",\n \"properties\": {\n \"log\": {\n \"type\": \"object\",\n \"properties\": {\n \"a0\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"addr\": {\n \"type\": \"ip\"\n },\n \"item\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"items\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"laddr\": {\n \"type\": \"ip\"\n },\n \"lport\": {\n \"type\": \"long\"\n },\n \"new_auid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"new_ses\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"old_auid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"old_ses\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rport\": {\n \"type\": \"long\"\n },\n \"sequence\": {\n \"type\": \"long\"\n },\n \"tty\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"aws\": {\n \"type\": \"object\",\n \"properties\": {\n \"cloudtrail\": {\n \"type\": \"object\",\n \"properties\": {\n \"additional_eventdata\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n },\n \"api_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"console_login\": {\n \"type\": \"object\",\n \"properties\": {\n \"additional_eventdata\": {\n \"type\": \"object\",\n \"properties\": {\n \"login_to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mfa_used\": {\n \"type\": \"boolean\"\n },\n \"mobile_version\": {\n \"type\": \"boolean\"\n }\n }\n }\n }\n },\n \"digest\": {\n \"type\": \"object\",\n \"properties\": {\n \"end_time\": {\n \"type\": \"date\"\n },\n \"log_files\": {\n \"type\": \"nested\"\n },\n \"newest_event_time\": {\n \"type\": \"date\"\n },\n \"oldest_event_time\": {\n \"type\": \"date\"\n },\n \"previous_hash_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"previous_s3_bucket\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_fingerprint\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"s3_bucket\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"s3_object\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"start_time\": {\n \"type\": \"date\"\n }\n }\n },\n \"error_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"error_message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"flattened\": {\n \"type\": \"object\",\n \"properties\": {\n \"additional_eventdata\": {\n \"type\": \"flattened\"\n },\n \"request_parameters\": {\n \"type\": \"flattened\"\n },\n \"response_elements\": {\n \"type\": \"flattened\"\n },\n \"service_event_details\": {\n \"type\": \"flattened\"\n }\n }\n },\n \"insight_details\": {\n \"type\": \"flattened\"\n },\n \"management_event\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"read_only\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"recipient_account_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request_parameters\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n },\n \"resources\": {\n \"type\": \"object\",\n \"properties\": {\n \"account_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"arn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"response_elements\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n },\n \"service_event_details\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n },\n \"shared_event_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_identity\": {\n \"type\": \"object\",\n \"properties\": {\n \"access_key_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"arn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"invoked_by\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_context\": {\n \"type\": \"object\",\n \"properties\": {\n \"creation_date\": {\n \"type\": \"date\"\n },\n \"mfa_authenticated\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"account_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"arn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"principal_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"vpc_endpoint_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"cloudwatch\": {\n \"type\": \"object\",\n \"properties\": {\n \"ingestion_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_stream\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n },\n \"ec2\": {\n \"type\": \"object\",\n \"properties\": {\n \"ip_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"elb\": {\n \"type\": \"object\",\n \"properties\": {\n \"action_executed\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"backend\": {\n \"type\": \"object\",\n \"properties\": {\n \"http\": {\n \"type\": \"object\",\n \"properties\": {\n \"response\": {\n \"type\": \"object\",\n \"properties\": {\n \"status_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"ip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"port\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"backend_processing_time\": {\n \"type\": \"object\",\n \"properties\": {\n \"sec\": {\n \"type\": \"float\"\n }\n }\n },\n \"chosen_cert\": {\n \"type\": \"object\",\n \"properties\": {\n \"arn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"serial\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"classification\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"classification_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connection_time\": {\n \"type\": \"object\",\n \"properties\": {\n \"ms\": {\n \"type\": \"long\"\n }\n }\n },\n \"error\": {\n \"type\": \"object\",\n \"properties\": {\n \"reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"incoming_tls_alert\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"listener\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"matched_rule_priority\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"redirect_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request_processing_time\": {\n \"type\": \"object\",\n \"properties\": {\n \"sec\": {\n \"type\": \"float\"\n }\n }\n },\n \"response_processing_time\": {\n \"type\": \"object\",\n \"properties\": {\n \"sec\": {\n \"type\": \"float\"\n }\n }\n },\n \"ssl_cipher\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"target_group\": {\n \"type\": \"object\",\n \"properties\": {\n \"arn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"target_port\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"target_status_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tls_handshake_time\": {\n \"type\": \"object\",\n \"properties\": {\n \"ms\": {\n \"type\": \"long\"\n }\n }\n },\n \"tls_named_group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trace_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"s3access\": {\n \"type\": \"object\",\n \"properties\": {\n \"authentication_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"bucket\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"bucket_owner\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"bytes_sent\": {\n \"type\": \"long\"\n },\n \"cipher_suite\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"error_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host_header\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http_status\": {\n \"type\": \"long\"\n },\n \"key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"object_size\": {\n \"type\": \"long\"\n },\n \"operation\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"referrer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"remote_ip\": {\n \"type\": \"ip\"\n },\n \"request_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request_uri\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"requester\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tls_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"total_time\": {\n \"type\": \"long\"\n },\n \"turn_around_time\": {\n \"type\": \"long\"\n },\n \"user_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"vpcflow\": {\n \"type\": \"object\",\n \"properties\": {\n \"account_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"instance_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"interface_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pkt_dstaddr\": {\n \"type\": \"ip\"\n },\n \"pkt_srcaddr\": {\n \"type\": \"ip\"\n },\n \"subnet_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tcp_flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tcp_flags_array\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vpc_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"awscloudwatch\": {\n \"type\": \"object\",\n \"properties\": {\n \"ingestion_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_stream\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"azure\": {\n \"type\": \"object\",\n \"properties\": {\n \"activitylogs\": {\n \"type\": \"object\",\n \"properties\": {\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identity\": {\n \"type\": \"object\",\n \"properties\": {\n \"authorization\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"evidence\": {\n \"type\": \"object\",\n \"properties\": {\n \"principal_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"principal_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"role\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"role_assignment_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"role_assignment_scope\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"role_definition_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"scope\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"claims\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\"\n }\n }\n },\n \"claims_initiated_by_user\": {\n \"type\": \"object\",\n \"properties\": {\n \"fullname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"givenname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"schema\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"surname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"identity_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"level\": {\n \"type\": \"long\"\n },\n \"operation_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operation_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"properties\": {\n \"type\": \"flattened\"\n },\n \"result_signature\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tenant_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"auditlogs\": {\n \"type\": \"object\",\n \"properties\": {\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operation_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operation_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"properties\": {\n \"type\": \"object\",\n \"properties\": {\n \"activity_datetime\": {\n \"type\": \"date\"\n },\n \"activity_display_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"correlation_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"initiated_by\": {\n \"type\": \"object\",\n \"properties\": {\n \"app\": {\n \"type\": \"object\",\n \"properties\": {\n \"appId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"displayName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"servicePrincipalId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"servicePrincipalName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"user\": {\n \"type\": \"object\",\n \"properties\": {\n \"displayName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ipAddress\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"userPrincipalName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"logged_by_service\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operation_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"target_resources\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\",\n \"properties\": {\n \"display_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ip_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"modified_properties\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\",\n \"properties\": {\n \"display_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"new_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"old_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_principal_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n },\n \"result_signature\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tenant_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"consumer_group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"correlation_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"enqueued_time\": {\n \"type\": \"date\"\n },\n \"eventhub\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"offset\": {\n \"type\": \"long\"\n },\n \"partition_id\": {\n \"type\": \"long\"\n },\n \"platformlogs\": {\n \"type\": \"object\",\n \"properties\": {\n \"ActivityId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Caller\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Cloud\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Environment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"EventTimeString\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ScaleUnit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ccpNamespace\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identity_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operation_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"properties\": {\n \"type\": \"flattened\"\n },\n \"result_signature\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"resource\": {\n \"type\": \"object\",\n \"properties\": {\n \"authorization_rule\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"namespace\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"provider\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"sequence_number\": {\n \"type\": \"long\"\n },\n \"signinlogs\": {\n \"type\": \"object\",\n \"properties\": {\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operation_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operation_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"properties\": {\n \"type\": \"object\",\n \"properties\": {\n \"app_display_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authentication_processing_details\": {\n \"type\": \"flattened\"\n },\n \"authentication_protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authentication_requirement\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authentication_requirement_policies\": {\n \"type\": \"flattened\"\n },\n \"autonomous_system_number\": {\n \"type\": \"long\"\n },\n \"client_app_used\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"conditional_access_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"correlation_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"created_at\": {\n \"type\": \"date\"\n },\n \"cross_tenant_access_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"device_detail\": {\n \"type\": \"object\",\n \"properties\": {\n \"browser\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"device_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"display_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"is_compliant\": {\n \"type\": \"boolean\"\n },\n \"is_managed\": {\n \"type\": \"boolean\"\n },\n \"operating_system\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trust_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"flagged_for_review\": {\n \"type\": \"boolean\"\n },\n \"home_tenant_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"incoming_token_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"is_interactive\": {\n \"type\": \"boolean\"\n },\n \"is_tenant_restricted\": {\n \"type\": \"boolean\"\n },\n \"original_request_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"processing_time_ms\": {\n \"type\": \"float\"\n },\n \"resource_display_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resource_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resource_tenant_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_detail\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_event_types\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_event_types_v2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_level_aggregated\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_level_during_signin\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service_principal_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service_principal_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sso_extension_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"type\": \"object\",\n \"properties\": {\n \"error_code\": {\n \"type\": \"long\"\n }\n }\n },\n \"token_issuer_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"token_issuer_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"unique_token_identifier\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_display_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_principal_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"result_description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result_signature\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tenant_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"subscription_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tenant_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"bucket\": {\n \"type\": \"object\",\n \"properties\": {\n \"arn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"cef\": {\n \"type\": \"object\",\n \"properties\": {\n \"device\": {\n \"type\": \"object\",\n \"properties\": {\n \"event_class_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vendor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"extensions\": {\n \"type\": \"object\",\n \"properties\": {\n \"Reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agentAddress\": {\n \"type\": \"ip\"\n },\n \"agentDnsDomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agentHostName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agentId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agentMacAddress\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agentNtDomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agentReceiptTime\": {\n \"type\": \"date\"\n },\n \"agentTimeZone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agentTranslatedAddress\": {\n \"type\": \"ip\"\n },\n \"agentTranslatedZoneExternalID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agentTranslatedZoneURI\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agentType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agentVersion\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agentZoneExternalID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agentZoneURI\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"applicationProtocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"baseEventCount\": {\n \"type\": \"long\"\n },\n \"bytesIn\": {\n \"type\": \"long\"\n },\n \"bytesOut\": {\n \"type\": \"long\"\n },\n \"categoryBehavior\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"categoryDeviceGroup\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"categoryDeviceType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"categoryObject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"categoryOutcome\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"categorySignificance\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"categoryTechnique\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cp_app_risk\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cp_severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"customerExternalID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"customerURI\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationAddress\": {\n \"type\": \"ip\"\n },\n \"destinationDnsDomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationGeoLatitude\": {\n \"type\": \"double\"\n },\n \"destinationGeoLongitude\": {\n \"type\": \"double\"\n },\n \"destinationHostName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationMacAddress\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationNtDomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationPort\": {\n \"type\": \"long\"\n },\n \"destinationProcessId\": {\n \"type\": \"long\"\n },\n \"destinationProcessName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationServiceName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationTranslatedAddress\": {\n \"type\": \"ip\"\n },\n \"destinationTranslatedPort\": {\n \"type\": \"long\"\n },\n \"destinationTranslatedZoneExternalID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationTranslatedZoneURI\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationUserId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationUserName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationUserPrivileges\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationZoneExternalID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destinationZoneURI\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceAction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceAddress\": {\n \"type\": \"ip\"\n },\n \"deviceCustomDate1\": {\n \"type\": \"date\"\n },\n \"deviceCustomDate1Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomDate2\": {\n \"type\": \"date\"\n },\n \"deviceCustomDate2Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomFloatingPoint1\": {\n \"type\": \"double\"\n },\n \"deviceCustomFloatingPoint1Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomFloatingPoint2\": {\n \"type\": \"double\"\n },\n \"deviceCustomFloatingPoint2Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomFloatingPoint3\": {\n \"type\": \"double\"\n },\n \"deviceCustomFloatingPoint3Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomFloatingPoint4\": {\n \"type\": \"double\"\n },\n \"deviceCustomFloatingPoint4Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomIPv6Address1\": {\n \"type\": \"ip\"\n },\n \"deviceCustomIPv6Address1Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomIPv6Address2\": {\n \"type\": \"ip\"\n },\n \"deviceCustomIPv6Address2Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomIPv6Address3\": {\n \"type\": \"ip\"\n },\n \"deviceCustomIPv6Address3Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomIPv6Address4\": {\n \"type\": \"ip\"\n },\n \"deviceCustomIPv6Address4Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomNumber1\": {\n \"type\": \"long\"\n },\n \"deviceCustomNumber1Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomNumber2\": {\n \"type\": \"long\"\n },\n \"deviceCustomNumber2Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomNumber3\": {\n \"type\": \"long\"\n },\n \"deviceCustomNumber3Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomString1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomString1Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomString2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomString2Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomString3\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomString3Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomString4\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomString4Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomString5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomString5Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomString6\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceCustomString6Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceDirection\": {\n \"type\": \"long\"\n },\n \"deviceDnsDomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceEventCategory\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceExternalId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceFacility\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceFlexNumber1\": {\n \"type\": \"long\"\n },\n \"deviceFlexNumber1Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceFlexNumber2\": {\n \"type\": \"long\"\n },\n \"deviceFlexNumber2Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceHostName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceInboundInterface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceMacAddress\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceNtDomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceOutboundInterface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"devicePayloadId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceProcessId\": {\n \"type\": \"long\"\n },\n \"deviceProcessName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceReceiptTime\": {\n \"type\": \"date\"\n },\n \"deviceTimeZone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceTranslatedAddress\": {\n \"type\": \"ip\"\n },\n \"deviceTranslatedZoneExternalID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceTranslatedZoneURI\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceZoneExternalID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceZoneURI\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"endTime\": {\n \"type\": \"date\"\n },\n \"eventId\": {\n \"type\": \"long\"\n },\n \"eventOutcome\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"externalId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fileCreateTime\": {\n \"type\": \"date\"\n },\n \"fileHash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fileId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fileModificationTime\": {\n \"type\": \"date\"\n },\n \"filePath\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filePermission\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fileSize\": {\n \"type\": \"long\"\n },\n \"fileType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filename\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"flexDate1\": {\n \"type\": \"date\"\n },\n \"flexDate1Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"flexString1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"flexString1Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"flexString2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"flexString2Label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ifname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"inzone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"layer_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"layer_uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"logid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"loguid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"managerReceiptTime\": {\n \"type\": \"date\"\n },\n \"match_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat_addtnl_rulenum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat_rulenum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"oldFileCreateTime\": {\n \"type\": \"date\"\n },\n \"oldFileHash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"oldFileId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"oldFileModificationTime\": {\n \"type\": \"date\"\n },\n \"oldFileName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"oldFilePath\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"oldFilePermission\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"oldFileSize\": {\n \"type\": \"long\"\n },\n \"oldFileType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"origin\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"originsicname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"outzone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"parent_rule\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rawEvent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"requestClientApplication\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"requestContext\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"requestCookies\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"requestMethod\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"requestUrl\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rule_action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rule_uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sequencenum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceAddress\": {\n \"type\": \"ip\"\n },\n \"sourceDnsDomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceGeoLatitude\": {\n \"type\": \"double\"\n },\n \"sourceGeoLongitude\": {\n \"type\": \"double\"\n },\n \"sourceHostName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceMacAddress\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceNtDomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourcePort\": {\n \"type\": \"long\"\n },\n \"sourceProcessId\": {\n \"type\": \"long\"\n },\n \"sourceProcessName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceServiceName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceTranslatedAddress\": {\n \"type\": \"ip\"\n },\n \"sourceTranslatedPort\": {\n \"type\": \"long\"\n },\n \"sourceTranslatedZoneExternalID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceTranslatedZoneURI\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceUserId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceUserName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceUserPrivileges\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceZoneExternalID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceZoneURI\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"startTime\": {\n \"type\": \"date\"\n },\n \"transportProtocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"type\": \"long\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"checkpoint\": {\n \"type\": \"object\",\n \"properties\": {\n \"action_reason\": {\n \"type\": \"long\"\n },\n \"action_reason_msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"additional_info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"additional_ip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"additional_rdata\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"alert\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"allocated_ports\": {\n \"type\": \"long\"\n },\n \"analyzed_on\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"answer_rdata\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"anti_virus_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_id\": {\n \"type\": \"long\"\n },\n \"app_package\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_properties\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_repackaged\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_risk\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_sid_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_sig_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"appi_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"arrival_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"attachments_num\": {\n \"type\": \"long\"\n },\n \"attack_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"audit_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"auth_method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"auth_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authority_rdata\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authorization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"bcc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"blade_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"broker_publisher\": {\n \"type\": \"ip\"\n },\n \"browse_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"c_bytes\": {\n \"type\": \"long\"\n },\n \"calc_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"capacity\": {\n \"type\": \"long\"\n },\n \"capture_uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"certificate_resource\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"certificate_validation\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cgnet\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"chunk_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_type_os\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cluster_info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"comment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"community\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"confidence_level\": {\n \"type\": \"long\"\n },\n \"conn_direction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connection_uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connectivity_level\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connectivity_state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"conns_amount\": {\n \"type\": \"long\"\n },\n \"content_disposition\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"content_length\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"content_risk\": {\n \"type\": \"long\"\n },\n \"content_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"context_num\": {\n \"type\": \"long\"\n },\n \"cookie\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cookieI\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cookieR\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cp_message\": {\n \"type\": \"long\"\n },\n \"cvpn_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cvpn_resource\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"data_type_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"db_ver\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dce-rpc_interface_uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"delivery_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destination_object\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"detected_on\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"developer_certificate_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"diameter_app_ID\": {\n \"type\": \"long\"\n },\n \"diameter_cmd_code\": {\n \"type\": \"long\"\n },\n \"diameter_msg_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_action_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_additional_action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_categories\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_data_type_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_data_type_uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_fingerprint_files_number\": {\n \"type\": \"long\"\n },\n \"dlp_fingerprint_long_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_fingerprint_short_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_incident_uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_recipients\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_related_incident_uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_relevant_data_types\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_repository_directories_number\": {\n \"type\": \"long\"\n },\n \"dlp_repository_files_number\": {\n \"type\": \"long\"\n },\n \"dlp_repository_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_repository_not_scanned_directories_percentage\": {\n \"type\": \"long\"\n },\n \"dlp_repository_reached_directories_number\": {\n \"type\": \"long\"\n },\n \"dlp_repository_root_path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_repository_scan_progress\": {\n \"type\": \"long\"\n },\n \"dlp_repository_scanned_directories_number\": {\n \"type\": \"long\"\n },\n \"dlp_repository_scanned_files_number\": {\n \"type\": \"long\"\n },\n \"dlp_repository_scanned_total_size\": {\n \"type\": \"long\"\n },\n \"dlp_repository_skipped_files_number\": {\n \"type\": \"long\"\n },\n \"dlp_repository_total_size\": {\n \"type\": \"long\"\n },\n \"dlp_repository_unreachable_directories_number\": {\n \"type\": \"long\"\n },\n \"dlp_rule_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_template_score\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_transint\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_violation_description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_watermark_profile\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dlp_word_list\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"drop_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dropped_file_hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dropped_file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dropped_file_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dropped_file_verdict\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dropped_incoming\": {\n \"type\": \"long\"\n },\n \"dropped_outgoing\": {\n \"type\": \"long\"\n },\n \"dropped_total\": {\n \"type\": \"long\"\n },\n \"drops_amount\": {\n \"type\": \"long\"\n },\n \"dst_country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dst_phone_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dst_user_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstkeyid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"duplicate\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"duration\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"elapsed\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_content\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_control\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_control_analysis\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_headers\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_message_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_queue_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_queue_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_recipients_num\": {\n \"type\": \"long\"\n },\n \"email_session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_spam_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_spool_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"emulated_on\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"encryption_failure\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"end_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"end_user_firewall_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"esod_access_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"esod_associated_policies\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"esod_noncompliance_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"esod_rule_action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"esod_rule_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"esod_rule_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"esod_scan_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_count\": {\n \"type\": \"long\"\n },\n \"expire_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extension_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extracted_file_hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extracted_file_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extracted_file_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extracted_file_uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extracted_file_verdict\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"failure_impact\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"failure_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_direction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"files_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"first_hit_time\": {\n \"type\": \"long\"\n },\n \"frequency\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fs-proto\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ftp_user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fw_message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fw_subproduct\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hide_ip\": {\n \"type\": \"ip\"\n },\n \"hit\": {\n \"type\": \"long\"\n },\n \"host_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http_location\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http_server\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"https_inspection_action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"https_inspection_rule_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"https_inspection_rule_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"https_validation\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icap_more_info\": {\n \"type\": \"long\"\n },\n \"icap_server_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icap_server_service\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icap_service_id\": {\n \"type\": \"long\"\n },\n \"icmp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmp_code\": {\n \"type\": \"long\"\n },\n \"icmp_type\": {\n \"type\": \"long\"\n },\n \"id\": {\n \"type\": \"long\"\n },\n \"identity_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identity_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ike\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ike_ids\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"impacted_files\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"incident_extension\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"indicator_description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"indicator_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"indicator_reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"indicator_uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"information\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"inspection_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"inspection_item\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"inspection_profile\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"inspection_settings_log\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"installed_products\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"int_end\": {\n \"type\": \"long\"\n },\n \"int_start\": {\n \"type\": \"long\"\n },\n \"integrity_av_invoke_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"interface_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"internal_error\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"invalid_file_size\": {\n \"type\": \"long\"\n },\n \"ip_option\": {\n \"type\": \"long\"\n },\n \"isp_link\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"last_hit_time\": {\n \"type\": \"long\"\n },\n \"last_rematch_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"layer_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"layer_uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"limit_applied\": {\n \"type\": \"long\"\n },\n \"limit_requested\": {\n \"type\": \"long\"\n },\n \"link_probing_status_update\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"links_num\": {\n \"type\": \"long\"\n },\n \"log_delay\": {\n \"type\": \"long\"\n },\n \"log_id\": {\n \"type\": \"long\"\n },\n \"logid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"long_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"machine\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"malware_family\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"match_fk\": {\n \"type\": \"long\"\n },\n \"match_id\": {\n \"type\": \"long\"\n },\n \"matched_file\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"matched_file_percentage\": {\n \"type\": \"long\"\n },\n \"matched_file_text_segments\": {\n \"type\": \"long\"\n },\n \"media_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message_info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message_size\": {\n \"type\": \"long\"\n },\n \"method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"methods\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mime_from\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mime_to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mirror_and_decrypt_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_collection\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_command_and_control\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_credential_access\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_defense_evasion\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_discovery\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_execution\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_exfiltration\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_impact\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_initial_access\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_lateral_movement\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_persistence\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_privilege_escalation\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"monitor_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msgid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat46\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat_addtnl_rulenum\": {\n \"type\": \"long\"\n },\n \"nat_exhausted_pool\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat_rulenum\": {\n \"type\": \"long\"\n },\n \"needs_browse_time\": {\n \"type\": \"long\"\n },\n \"next_hop_ip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"next_scheduled_scan_date\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"number_of_errors\": {\n \"type\": \"long\"\n },\n \"objecttable\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"objecttype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"observable_comment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"observable_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"observable_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operation\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operation_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"origin_sic_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"original_queue_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"outgoing_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"packet_amount\": {\n \"type\": \"long\"\n },\n \"packet_capture_unique_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"parent_file_hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"parent_file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"parent_file_uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"parent_process_username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"parent_rule\": {\n \"type\": \"long\"\n },\n \"peer_gateway\": {\n \"type\": \"ip\"\n },\n \"peer_ip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"peer_ip_probing_status_update\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"performance_impact\": {\n \"type\": \"long\"\n },\n \"policy_mgmt\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"policy_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ports_usage\": {\n \"type\": \"long\"\n },\n \"ppp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"precise_error\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"process_username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"properties\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protection_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protection_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protection_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"proxy_machine_name\": {\n \"type\": \"long\"\n },\n \"proxy_src_ip\": {\n \"type\": \"ip\"\n },\n \"proxy_user_dn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"proxy_user_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"question_rdata\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"referrer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"referrer_parent_uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"referrer_self_uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"registered_ip-phones\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reject_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reject_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rematch_info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"remediated_files\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reply_status\": {\n \"type\": \"long\"\n },\n \"risk\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"roles\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rpc_prog\": {\n \"type\": \"long\"\n },\n \"rule\": {\n \"type\": \"long\"\n },\n \"rule_action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rulebase_id\": {\n \"type\": \"long\"\n },\n \"scan_direction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scan_hosts_day\": {\n \"type\": \"long\"\n },\n \"scan_hosts_hour\": {\n \"type\": \"long\"\n },\n \"scan_hosts_week\": {\n \"type\": \"long\"\n },\n \"scan_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scan_mail\": {\n \"type\": \"long\"\n },\n \"scan_result\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scan_results\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scheme\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scope\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scrub_activity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scrub_download_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scrub_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scrub_total_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scrubbed_content\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sctp_association_state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sctp_error\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scv_message_info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scv_user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"securexl_message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sensor_mode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"short_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sig_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"similar_communication\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"similar_hashes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"similar_strings\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"similiar_iocs\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sip_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"site_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"snid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_object\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_os\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"special_properties\": {\n \"type\": \"long\"\n },\n \"specific_data_type_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"speed\": {\n \"type\": \"long\"\n },\n \"spyware_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"spyware_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"spyware_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_phone_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_user_dn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_user_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srckeyid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status_update\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sub_policy_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sub_policy_uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subs_exp\": {\n \"type\": \"date\"\n },\n \"subscriber\": {\n \"type\": \"ip\"\n },\n \"summary\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"suppressed_logs\": {\n \"type\": \"long\"\n },\n \"sync\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sys_message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tcp_end_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tcp_flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tcp_packet_out_of_state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tcp_state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"te_verdict_determined_by\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"termination_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ticket_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tls_server_host_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"top_archive_file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"total_attachments\": {\n \"type\": \"long\"\n },\n \"triggered_by\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trusted_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"unique_detected_day\": {\n \"type\": \"long\"\n },\n \"unique_detected_hour\": {\n \"type\": \"long\"\n },\n \"unique_detected_week\": {\n \"type\": \"long\"\n },\n \"update_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vendor_list\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"verdict\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"via\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virus_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_attach_action_info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_attach_sz\": {\n \"type\": \"long\"\n },\n \"voip_call_dir\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_call_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_call_state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_call_term_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_config\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_duration\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_est_codec\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_exp\": {\n \"type\": \"long\"\n },\n \"voip_from_user_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_log_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_media_codec\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_media_ipp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_media_port\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_reason_info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_reg_int\": {\n \"type\": \"long\"\n },\n \"voip_reg_ipp\": {\n \"type\": \"long\"\n },\n \"voip_reg_period\": {\n \"type\": \"long\"\n },\n \"voip_reg_server\": {\n \"type\": \"ip\"\n },\n \"voip_reg_user_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_reject_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"voip_to_user_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vpn_feature_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"watermark\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"web_server_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"word_list\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"cisco\": {\n \"type\": \"object\",\n \"properties\": {\n \"amp\": {\n \"type\": \"object\",\n \"properties\": {\n \"bp_data\": {\n \"type\": \"flattened\"\n },\n \"cloud_ioc\": {\n \"type\": \"object\",\n \"properties\": {\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"short_description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"command_line\": {\n \"type\": \"object\",\n \"properties\": {\n \"arguments\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"computer\": {\n \"type\": \"object\",\n \"properties\": {\n \"active\": {\n \"type\": \"boolean\"\n },\n \"connector_guid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"external_ip\": {\n \"type\": \"ip\"\n },\n \"network_addresses\": {\n \"type\": \"flattened\"\n }\n }\n },\n \"connector_guid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"detection\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"detection_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"error\": {\n \"type\": \"object\",\n \"properties\": {\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"error_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"event_type_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"archived_file\": {\n \"type\": \"object\",\n \"properties\": {\n \"disposition\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identity\": {\n \"type\": \"object\",\n \"properties\": {\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"attack_details\": {\n \"type\": \"object\",\n \"properties\": {\n \"application\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"attacked_module\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"base_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"indicators\": {\n \"type\": \"flattened\"\n },\n \"suspicious_files\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"disposition\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"parent\": {\n \"type\": \"object\",\n \"properties\": {\n \"disposition\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"group_guids\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_tactics\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_techniques\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"network_info\": {\n \"type\": \"object\",\n \"properties\": {\n \"disposition\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nfm\": {\n \"type\": \"object\",\n \"properties\": {\n \"direction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"parent\": {\n \"type\": \"object\",\n \"properties\": {\n \"disposition\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identify\": {\n \"type\": \"object\",\n \"properties\": {\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"identity\": {\n \"type\": \"object\",\n \"properties\": {\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n },\n \"related\": {\n \"type\": \"object\",\n \"properties\": {\n \"cve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"scan\": {\n \"type\": \"object\",\n \"properties\": {\n \"clean\": {\n \"type\": \"boolean\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"malicious_detections\": {\n \"type\": \"long\"\n },\n \"scanned_files\": {\n \"type\": \"long\"\n },\n \"scanned_paths\": {\n \"type\": \"long\"\n },\n \"scanned_processes\": {\n \"type\": \"long\"\n }\n }\n },\n \"tactics\": {\n \"type\": \"flattened\"\n },\n \"techniques\": {\n \"type\": \"flattened\"\n },\n \"threat_hunting\": {\n \"type\": \"object\",\n \"properties\": {\n \"incident_end_time\": {\n \"type\": \"date\"\n },\n \"incident_hunt_guid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"incident_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"incident_remediation\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"incident_report_guid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"incident_start_time\": {\n \"type\": \"date\"\n },\n \"incident_summary\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"incident_title\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tactics\": {\n \"type\": \"flattened\"\n },\n \"techniques\": {\n \"type\": \"flattened\"\n }\n }\n },\n \"timestamp_nanoseconds\": {\n \"type\": \"date\"\n },\n \"vulnerabilities\": {\n \"type\": \"flattened\"\n }\n }\n },\n \"asa\": {\n \"type\": \"object\",\n \"properties\": {\n \"assigned_ip\": {\n \"type\": \"ip\"\n },\n \"burst\": {\n \"type\": \"object\",\n \"properties\": {\n \"avg_rate\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"configured_avg_rate\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"configured_rate\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cumulative_count\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"current_rate\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"object\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"command_line_arguments\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connection_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connection_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dap_records\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destination_interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destination_user_security_group_tag\": {\n \"type\": \"long\"\n },\n \"destination_username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmp_code\": {\n \"type\": \"short\"\n },\n \"icmp_type\": {\n \"type\": \"short\"\n },\n \"mapped_destination_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mapped_destination_ip\": {\n \"type\": \"ip\"\n },\n \"mapped_destination_port\": {\n \"type\": \"long\"\n },\n \"mapped_source_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mapped_source_ip\": {\n \"type\": \"ip\"\n },\n \"mapped_source_port\": {\n \"type\": \"long\"\n },\n \"message_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"privilege\": {\n \"type\": \"object\",\n \"properties\": {\n \"new\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"old\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"rule_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_user_security_group_tag\": {\n \"type\": \"long\"\n },\n \"source_username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"suffix\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"termination_initiator\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"termination_user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threat_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threat_level\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tunnel_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"webvpn\": {\n \"type\": \"object\",\n \"properties\": {\n \"group_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"ftd\": {\n \"type\": \"object\",\n \"properties\": {\n \"connection_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connection_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dap_records\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destination_interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destination_username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmp_code\": {\n \"type\": \"short\"\n },\n \"icmp_type\": {\n \"type\": \"short\"\n },\n \"mapped_destination_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mapped_destination_ip\": {\n \"type\": \"ip\"\n },\n \"mapped_destination_port\": {\n \"type\": \"long\"\n },\n \"mapped_source_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mapped_source_ip\": {\n \"type\": \"ip\"\n },\n \"mapped_source_port\": {\n \"type\": \"long\"\n },\n \"message_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rule_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"security\": {\n \"type\": \"object\"\n },\n \"source_interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"suffix\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"termination_initiator\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"termination_user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threat_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threat_level\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"webvpn\": {\n \"type\": \"object\",\n \"properties\": {\n \"group_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"ios\": {\n \"type\": \"object\",\n \"properties\": {\n \"access_list\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"facility\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"umbrella\": {\n \"type\": \"object\",\n \"properties\": {\n \"amp_disposition\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"amp_malware_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"amp_score\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"av_detections\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"blocked_categories\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"categories\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"content_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"datacenter\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identities\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identity_types\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"origin_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"policy_identity_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"puas\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha_sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"client\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"as\": {\n \"type\": \"object\",\n \"properties\": {\n \"number\": {\n \"type\": \"long\"\n },\n \"organization\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n }\n }\n }\n }\n },\n \"bytes\": {\n \"type\": \"long\"\n },\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"geo\": {\n \"type\": \"object\",\n \"properties\": {\n \"city_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"location\": {\n \"type\": \"geo_point\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"postal_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"mac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat\": {\n \"type\": \"object\",\n \"properties\": {\n \"ip\": {\n \"type\": \"ip\"\n },\n \"port\": {\n \"type\": \"long\"\n }\n }\n },\n \"packets\": {\n \"type\": \"long\"\n },\n \"port\": {\n \"type\": \"long\"\n },\n \"registered_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subdomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"top_level_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"roles\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"cloud\": {\n \"type\": \"object\",\n \"properties\": {\n \"account\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"availability_zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"image\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"instance\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"machine\": {\n \"type\": \"object\",\n \"properties\": {\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"origin\": {\n \"type\": \"object\",\n \"properties\": {\n \"account\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"availability_zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"instance\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"machine\": {\n \"type\": \"object\",\n \"properties\": {\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"project\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"provider\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"project\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"provider\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"target\": {\n \"type\": \"object\",\n \"properties\": {\n \"account\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"availability_zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"instance\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"machine\": {\n \"type\": \"object\",\n \"properties\": {\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"project\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"provider\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n },\n \"code_signature\": {\n \"type\": \"object\",\n \"properties\": {\n \"digest_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"exists\": {\n \"type\": \"boolean\"\n },\n \"signing_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"team_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n },\n \"trusted\": {\n \"type\": \"boolean\"\n },\n \"valid\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"container\": {\n \"type\": \"object\",\n \"properties\": {\n \"cpu\": {\n \"type\": \"object\",\n \"properties\": {\n \"usage\": {\n \"scaling_factor\": 1000,\n \"type\": \"scaled_float\"\n }\n }\n },\n \"disk\": {\n \"type\": \"object\",\n \"properties\": {\n \"read\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"type\": \"long\"\n }\n }\n },\n \"write\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"image\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tag\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"labels\": {\n \"type\": \"object\"\n },\n \"memory\": {\n \"type\": \"object\",\n \"properties\": {\n \"usage\": {\n \"scaling_factor\": 1000,\n \"type\": \"scaled_float\"\n }\n }\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"network\": {\n \"type\": \"object\",\n \"properties\": {\n \"egress\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"type\": \"long\"\n }\n }\n },\n \"ingress\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"runtime\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"coredns\": {\n \"type\": \"object\",\n \"properties\": {\n \"query\": {\n \"type\": \"object\",\n \"properties\": {\n \"size\": {\n \"type\": \"long\"\n }\n }\n },\n \"response\": {\n \"type\": \"object\",\n \"properties\": {\n \"size\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"crowdstrike\": {\n \"type\": \"object\",\n \"properties\": {\n \"event\": {\n \"type\": \"object\",\n \"properties\": {\n \"AuditKeyValues\": {\n \"type\": \"nested\"\n },\n \"CommandLine\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Commands\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ComputerName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ConnectionDirection\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"CustomerId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"DetectDescription\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"DetectId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"DetectName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"DeviceId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"EndTimestamp\": {\n \"type\": \"date\"\n },\n \"EventType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ExecutablesWritten\": {\n \"type\": \"nested\"\n },\n \"FalconHostLink\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"FileName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"FilePath\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"FineScore\": {\n \"type\": \"float\"\n },\n \"Flags\": {\n \"type\": \"object\",\n \"properties\": {\n \"Audit\": {\n \"type\": \"boolean\"\n },\n \"Log\": {\n \"type\": \"boolean\"\n },\n \"Monitor\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"GrandparentCommandLine\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"GrandparentImageFileName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"HostName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"HostnameField\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ICMPCode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ICMPType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"IOCType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"IOCValue\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ImageFileName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"IncidentEndTime\": {\n \"type\": \"date\"\n },\n \"IncidentStartTime\": {\n \"type\": \"date\"\n },\n \"Ipv\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"LateralMovement\": {\n \"type\": \"long\"\n },\n \"LocalAddress\": {\n \"type\": \"ip\"\n },\n \"LocalIP\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"LocalPort\": {\n \"type\": \"long\"\n },\n \"MACAddress\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"MD5String\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"MachineDomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"MatchCount\": {\n \"type\": \"long\"\n },\n \"MatchCountSinceLastReport\": {\n \"type\": \"long\"\n },\n \"NetworkProfile\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Objective\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"OperationName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"PID\": {\n \"type\": \"long\"\n },\n \"ParentCommandLine\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ParentImageFileName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ParentProcessId\": {\n \"type\": \"long\"\n },\n \"PatternDispositionDescription\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"PatternDispositionFlags\": {\n \"type\": \"object\"\n },\n \"PatternDispositionValue\": {\n \"type\": \"long\"\n },\n \"PolicyID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"PolicyName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ProcessEndTime\": {\n \"type\": \"date\"\n },\n \"ProcessId\": {\n \"type\": \"long\"\n },\n \"ProcessStartTime\": {\n \"type\": \"date\"\n },\n \"Protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"RemoteAddress\": {\n \"type\": \"ip\"\n },\n \"RemotePort\": {\n \"type\": \"long\"\n },\n \"RuleAction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"RuleDescription\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"RuleFamilyID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"RuleGroupName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"RuleId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"RuleName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"SHA1String\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"SHA256String\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"SensorId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ServiceName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"SessionId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Severity\": {\n \"type\": \"long\"\n },\n \"SeverityName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"StartTimestamp\": {\n \"type\": \"date\"\n },\n \"State\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Success\": {\n \"type\": \"boolean\"\n },\n \"Tactic\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Technique\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Timestamp\": {\n \"type\": \"date\"\n },\n \"TreeID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"UTCTimestamp\": {\n \"type\": \"date\"\n },\n \"UserId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"UserIp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"UserName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"metadata\": {\n \"type\": \"object\",\n \"properties\": {\n \"customerIDString\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"eventCreationTime\": {\n \"type\": \"date\"\n },\n \"eventType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"offset\": {\n \"type\": \"long\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"cyberarkpas\": {\n \"type\": \"object\",\n \"properties\": {\n \"audit\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ca_properties\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cpm_disabled\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cpm_error_details\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cpm_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"creation_method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"customer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"database\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"device_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dual_account_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"group_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"in_process\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"index\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"last_fail_date\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"last_success_change\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"last_success_reconciliation\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"last_success_verification\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"last_task\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"logon_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"other\": {\n \"type\": \"flattened\"\n },\n \"policy_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"port\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"privcloud\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reset_immediately\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"retries_count\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sequence_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_dn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virtual_username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extra_details\": {\n \"type\": \"object\",\n \"properties\": {\n \"ad_process_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ad_process_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"command\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connection_component_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dst_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"logon_account\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"managed_account\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"other\": {\n \"type\": \"flattened\"\n },\n \"process_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"process_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"psmid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_duration\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"file\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"gateway_station\": {\n \"type\": \"ip\"\n },\n \"hostname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"iso_timestamp\": {\n \"type\": \"date\"\n },\n \"issuer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"location\": {\n \"ignore_above\": 4096,\n \"index\": false,\n \"type\": \"keyword\",\n \"doc_values\": false\n },\n \"message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pvwa_details\": {\n \"type\": \"flattened\"\n },\n \"raw\": {\n \"ignore_above\": 4096,\n \"index\": false,\n \"type\": \"keyword\",\n \"doc_values\": false\n },\n \"reason\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"rfc5424\": {\n \"type\": \"boolean\"\n },\n \"safe\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"station\": {\n \"type\": \"ip\"\n },\n \"target_user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vendor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"data_stream\": {\n \"type\": \"object\",\n \"properties\": {\n \"dataset\": {\n \"type\": \"constant_keyword\"\n },\n \"namespace\": {\n \"type\": \"constant_keyword\"\n },\n \"type\": {\n \"type\": \"constant_keyword\"\n }\n }\n },\n \"destination\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"as\": {\n \"type\": \"object\",\n \"properties\": {\n \"number\": {\n \"type\": \"long\"\n },\n \"organization\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n }\n }\n }\n }\n },\n \"bytes\": {\n \"type\": \"long\"\n },\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"geo\": {\n \"type\": \"object\",\n \"properties\": {\n \"city_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"location\": {\n \"type\": \"geo_point\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"postal_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"mac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat\": {\n \"type\": \"object\",\n \"properties\": {\n \"ip\": {\n \"type\": \"ip\"\n },\n \"port\": {\n \"type\": \"long\"\n }\n }\n },\n \"packets\": {\n \"type\": \"long\"\n },\n \"port\": {\n \"type\": \"long\"\n },\n \"registered_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"subdomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"top_level_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"roles\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"dll\": {\n \"type\": \"object\",\n \"properties\": {\n \"code_signature\": {\n \"type\": \"object\",\n \"properties\": {\n \"digest_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"exists\": {\n \"type\": \"boolean\"\n },\n \"signing_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"team_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n },\n \"trusted\": {\n \"type\": \"boolean\"\n },\n \"valid\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"hash\": {\n \"type\": \"object\",\n \"properties\": {\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha512\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssdeep\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pe\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"company\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"imphash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"original_file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"dns\": {\n \"type\": \"object\",\n \"properties\": {\n \"answers\": {\n \"type\": \"object\",\n \"properties\": {\n \"class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ttl\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"header_flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"op_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"question\": {\n \"type\": \"object\",\n \"properties\": {\n \"class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"registered_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subdomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"top_level_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"resolved_ip\": {\n \"type\": \"ip\"\n },\n \"response_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"docker\": {\n \"type\": \"object\",\n \"properties\": {\n \"attrs\": {\n \"type\": \"object\"\n },\n \"container\": {\n \"type\": \"object\",\n \"properties\": {\n \"labels\": {\n \"type\": \"object\"\n }\n }\n }\n }\n },\n \"ecs\": {\n \"type\": \"object\",\n \"properties\": {\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"elasticsearch\": {\n \"type\": \"object\",\n \"properties\": {\n \"audit\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authentication\": {\n \"type\": \"object\",\n \"properties\": {\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"component\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"indices\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"invalidate\": {\n \"type\": \"object\",\n \"properties\": {\n \"apikeys\": {\n \"type\": \"object\",\n \"properties\": {\n \"owned_by_authenticated_user\": {\n \"type\": \"boolean\"\n }\n }\n }\n }\n },\n \"layer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"opaque_id\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"origin\": {\n \"type\": \"object\",\n \"properties\": {\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"realm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"url\": {\n \"type\": \"object\",\n \"properties\": {\n \"params\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"user\": {\n \"type\": \"object\",\n \"properties\": {\n \"realm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"roles\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"run_as\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"realm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n },\n \"cluster\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"component\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"elastic_product_origin\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event\": {\n \"type\": \"object\",\n \"properties\": {\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"gc\": {\n \"type\": \"object\",\n \"properties\": {\n \"heap\": {\n \"type\": \"object\",\n \"properties\": {\n \"size_kb\": {\n \"type\": \"long\"\n },\n \"used_kb\": {\n \"type\": \"long\"\n }\n }\n },\n \"jvm_runtime_sec\": {\n \"type\": \"float\"\n },\n \"old_gen\": {\n \"type\": \"object\",\n \"properties\": {\n \"size_kb\": {\n \"type\": \"long\"\n },\n \"used_kb\": {\n \"type\": \"long\"\n }\n }\n },\n \"phase\": {\n \"type\": \"object\",\n \"properties\": {\n \"class_unload_time_sec\": {\n \"type\": \"float\"\n },\n \"cpu_time\": {\n \"type\": \"object\",\n \"properties\": {\n \"real_sec\": {\n \"type\": \"float\"\n },\n \"sys_sec\": {\n \"type\": \"float\"\n },\n \"user_sec\": {\n \"type\": \"float\"\n }\n }\n },\n \"duration_sec\": {\n \"type\": \"float\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"parallel_rescan_time_sec\": {\n \"type\": \"float\"\n },\n \"scrub_string_table_time_sec\": {\n \"type\": \"float\"\n },\n \"scrub_symbol_table_time_sec\": {\n \"type\": \"float\"\n },\n \"weak_refs_processing_time_sec\": {\n \"type\": \"float\"\n }\n }\n },\n \"stopping_threads_time_sec\": {\n \"type\": \"float\"\n },\n \"tags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threads_total_stop_time_sec\": {\n \"type\": \"float\"\n },\n \"young_gen\": {\n \"type\": \"object\",\n \"properties\": {\n \"size_kb\": {\n \"type\": \"long\"\n },\n \"used_kb\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"http\": {\n \"type\": \"object\",\n \"properties\": {\n \"request\": {\n \"type\": \"object\",\n \"properties\": {\n \"x_opaque_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"index\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"node\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"server\": {\n \"type\": \"object\",\n \"properties\": {\n \"gc\": {\n \"type\": \"object\",\n \"properties\": {\n \"collection_duration\": {\n \"type\": \"object\",\n \"properties\": {\n \"ms\": {\n \"type\": \"float\"\n }\n }\n },\n \"observation_duration\": {\n \"type\": \"object\",\n \"properties\": {\n \"ms\": {\n \"type\": \"float\"\n }\n }\n },\n \"overhead_seq\": {\n \"type\": \"long\"\n },\n \"young\": {\n \"type\": \"object\",\n \"properties\": {\n \"one\": {\n \"type\": \"long\"\n },\n \"two\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"stacktrace\": {\n \"ignore_above\": 1024,\n \"index\": false,\n \"type\": \"keyword\"\n }\n }\n },\n \"shard\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"slowlog\": {\n \"type\": \"object\",\n \"properties\": {\n \"extra_source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"logger\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"routing\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"search_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"stats\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"took\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"total_hits\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"total_shards\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"types\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"elf\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"byte_order\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cpu_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"creation_date\": {\n \"type\": \"date\"\n },\n \"exports\": {\n \"type\": \"flattened\"\n },\n \"header\": {\n \"type\": \"object\",\n \"properties\": {\n \"abi_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"entrypoint\": {\n \"type\": \"long\"\n },\n \"object_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"os_abi\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"imports\": {\n \"type\": \"flattened\"\n },\n \"sections\": {\n \"type\": \"nested\",\n \"properties\": {\n \"chi2\": {\n \"type\": \"long\"\n },\n \"entropy\": {\n \"type\": \"long\"\n },\n \"flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"physical_offset\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"physical_size\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virtual_address\": {\n \"type\": \"long\"\n },\n \"virtual_size\": {\n \"type\": \"long\"\n }\n }\n },\n \"segments\": {\n \"type\": \"nested\",\n \"properties\": {\n \"sections\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"shared_libraries\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"telfhash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"envoyproxy\": {\n \"type\": \"object\",\n \"properties\": {\n \"authority\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"proxy_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"response_flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"upstream_service_time\": {\n \"type\": \"long\"\n }\n }\n },\n \"error\": {\n \"type\": \"object\",\n \"properties\": {\n \"code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message\": {\n \"type\": \"match_only_text\"\n },\n \"stack_trace\": {\n \"type\": \"wildcard\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"event\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agent_id_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"created\": {\n \"type\": \"date\"\n },\n \"dataset\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"duration\": {\n \"type\": \"long\"\n },\n \"end\": {\n \"type\": \"date\"\n },\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ingested\": {\n \"type\": \"date\"\n },\n \"kind\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"module\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"original\": {\n \"ignore_above\": 1024,\n \"index\": false,\n \"type\": \"keyword\",\n \"doc_values\": false\n },\n \"outcome\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"provider\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_score\": {\n \"type\": \"float\"\n },\n \"risk_score_norm\": {\n \"type\": \"float\"\n },\n \"sequence\": {\n \"type\": \"long\"\n },\n \"severity\": {\n \"type\": \"long\"\n },\n \"start\": {\n \"type\": \"date\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"faas\": {\n \"type\": \"object\",\n \"properties\": {\n \"coldstart\": {\n \"type\": \"boolean\"\n },\n \"execution\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trigger\": {\n \"type\": \"nested\",\n \"properties\": {\n \"request_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"fields\": {\n \"type\": \"object\"\n },\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"accessed\": {\n \"type\": \"date\"\n },\n \"attributes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"code_signature\": {\n \"type\": \"object\",\n \"properties\": {\n \"digest_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"exists\": {\n \"type\": \"boolean\"\n },\n \"signing_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"team_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n },\n \"trusted\": {\n \"type\": \"boolean\"\n },\n \"valid\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"created\": {\n \"type\": \"date\"\n },\n \"ctime\": {\n \"type\": \"date\"\n },\n \"device\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"directory\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"drive_letter\": {\n \"ignore_above\": 1,\n \"type\": \"keyword\"\n },\n \"elf\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"byte_order\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cpu_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"creation_date\": {\n \"type\": \"date\"\n },\n \"exports\": {\n \"type\": \"flattened\"\n },\n \"header\": {\n \"type\": \"object\",\n \"properties\": {\n \"abi_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"entrypoint\": {\n \"type\": \"long\"\n },\n \"object_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"os_abi\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"imports\": {\n \"type\": \"flattened\"\n },\n \"sections\": {\n \"type\": \"nested\",\n \"properties\": {\n \"chi2\": {\n \"type\": \"long\"\n },\n \"entropy\": {\n \"type\": \"long\"\n },\n \"flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"physical_offset\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"physical_size\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virtual_address\": {\n \"type\": \"long\"\n },\n \"virtual_size\": {\n \"type\": \"long\"\n }\n }\n },\n \"segments\": {\n \"type\": \"nested\",\n \"properties\": {\n \"sections\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"shared_libraries\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"telfhash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"extension\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fork_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"gid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hash\": {\n \"type\": \"object\",\n \"properties\": {\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha512\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssdeep\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"inode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mime_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mtime\": {\n \"type\": \"date\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"owner\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"pe\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"company\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"imphash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"original_file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"size\": {\n \"type\": \"long\"\n },\n \"target_path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"x509\": {\n \"type\": \"object\",\n \"properties\": {\n \"alternative_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"not_after\": {\n \"type\": \"date\"\n },\n \"not_before\": {\n \"type\": \"date\"\n },\n \"public_key_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_curve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_exponent\": {\n \"index\": false,\n \"type\": \"long\",\n \"doc_values\": false\n },\n \"public_key_size\": {\n \"type\": \"long\"\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"version_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"fileset\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"forcepoint\": {\n \"type\": \"object\",\n \"properties\": {\n \"virus_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"fortinet\": {\n \"type\": \"object\",\n \"properties\": {\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"hash\": {\n \"type\": \"object\",\n \"properties\": {\n \"crc32\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"firewall\": {\n \"type\": \"object\",\n \"properties\": {\n \"acct_stat\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"acktime\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"act\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"activity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"addr\": {\n \"type\": \"ip\"\n },\n \"addr_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"addrgrp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"adgroup\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"admin\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"age\": {\n \"type\": \"long\"\n },\n \"agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"alarmid\": {\n \"type\": \"long\"\n },\n \"alert\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"analyticscksum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"analyticssubmit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ap\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app-type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"appact\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"appid\": {\n \"type\": \"long\"\n },\n \"applist\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"apprisk\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"apscan\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"apsn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"apstatus\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"aptype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"assigned\": {\n \"type\": \"ip\"\n },\n \"assignip\": {\n \"type\": \"ip\"\n },\n \"attachment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"attack\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"attackcontext\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"attackcontextid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"attackid\": {\n \"type\": \"long\"\n },\n \"auditid\": {\n \"type\": \"long\"\n },\n \"auditscore\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"audittime\": {\n \"type\": \"long\"\n },\n \"authgrp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authproto\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authserver\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"bandwidth\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"banned_rule\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"banned_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"banword\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"botnetdomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"botnetip\": {\n \"type\": \"ip\"\n },\n \"bssid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"call_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"carrier_ep\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cat\": {\n \"type\": \"long\"\n },\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cdrcontent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"centralnatid\": {\n \"type\": \"long\"\n },\n \"cert\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert-type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"certhash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cfgattr\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cfgobj\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cfgpath\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cfgtid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cfgtxpower\": {\n \"type\": \"long\"\n },\n \"channel\": {\n \"type\": \"long\"\n },\n \"channeltype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"chassisid\": {\n \"type\": \"long\"\n },\n \"checksum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"chgheaders\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cldobjid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_addr\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cloudaction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"clouduser\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"column\": {\n \"type\": \"long\"\n },\n \"command\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"community\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"configcountry\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connection_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"conserve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"constraint\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"contentdisarmed\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"contenttype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cookies\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"count\": {\n \"type\": \"long\"\n },\n \"countapp\": {\n \"type\": \"long\"\n },\n \"countav\": {\n \"type\": \"long\"\n },\n \"countcifs\": {\n \"type\": \"long\"\n },\n \"countdlp\": {\n \"type\": \"long\"\n },\n \"countdns\": {\n \"type\": \"long\"\n },\n \"countemail\": {\n \"type\": \"long\"\n },\n \"countff\": {\n \"type\": \"long\"\n },\n \"countips\": {\n \"type\": \"long\"\n },\n \"countssh\": {\n \"type\": \"long\"\n },\n \"countssl\": {\n \"type\": \"long\"\n },\n \"countwaf\": {\n \"type\": \"long\"\n },\n \"countweb\": {\n \"type\": \"long\"\n },\n \"cpu\": {\n \"type\": \"long\"\n },\n \"craction\": {\n \"type\": \"long\"\n },\n \"criticalcount\": {\n \"type\": \"long\"\n },\n \"crl\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"crlevel\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"crscore\": {\n \"type\": \"long\"\n },\n \"cveid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"daemon\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"datarange\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"date\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ddnsserver\": {\n \"type\": \"ip\"\n },\n \"desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"detectionmethod\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"devcategory\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"devintfname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"devtype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dhcp_msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dintf\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"disk\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"disklograte\": {\n \"type\": \"long\"\n },\n \"dlpextra\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"docsource\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"domainctrlauthstate\": {\n \"type\": \"long\"\n },\n \"domainctrlauthtype\": {\n \"type\": \"long\"\n },\n \"domainctrldomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"domainctrlip\": {\n \"type\": \"ip\"\n },\n \"domainctrlname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"domainctrlprotocoltype\": {\n \"type\": \"long\"\n },\n \"domainctrlusername\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"domainfilteridx\": {\n \"type\": \"long\"\n },\n \"domainfilterlist\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ds\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dst_int\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstcountry\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstdevcategory\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstdevtype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstfamily\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dsthwvendor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dsthwversion\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstinetsvc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstintfrole\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstosname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstosversion\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstserver\": {\n \"type\": \"long\"\n },\n \"dstssid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstswversion\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstunauthusersource\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstuuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"duid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"eapolcnt\": {\n \"type\": \"long\"\n },\n \"eapoltype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"encrypt\": {\n \"type\": \"long\"\n },\n \"encryption\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"epoch\": {\n \"type\": \"long\"\n },\n \"espauth\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"esptransform\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"eventtype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"exch\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"exchange\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"expectedsignature\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"expiry\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fams_pause\": {\n \"type\": \"long\"\n },\n \"fazlograte\": {\n \"type\": \"long\"\n },\n \"fctemssn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fctuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"field\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filefilter\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filehashsrc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filtercat\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filteridx\": {\n \"type\": \"long\"\n },\n \"filtername\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filtertype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fortiguardresp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"forwardedfor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fqdn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"frametype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"freediskstorage\": {\n \"type\": \"long\"\n },\n \"from\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"from_vcluster\": {\n \"type\": \"long\"\n },\n \"fsaverdict\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fwserver_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"gateway\": {\n \"type\": \"ip\"\n },\n \"green\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"groupid\": {\n \"type\": \"long\"\n },\n \"ha-prio\": {\n \"type\": \"long\"\n },\n \"ha_group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ha_role\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"handshake\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hbdn_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"highcount\": {\n \"type\": \"long\"\n },\n \"host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"iaid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmpcode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmpid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmptype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identifier\": {\n \"type\": \"long\"\n },\n \"in_spi\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"incidentserialno\": {\n \"type\": \"long\"\n },\n \"infected\": {\n \"type\": \"long\"\n },\n \"infectedfilelevel\": {\n \"type\": \"long\"\n },\n \"informationsource\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"init\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"initiator\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"intf\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"invalidmac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"iptype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"keyword\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"kind\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"lanin\": {\n \"type\": \"long\"\n },\n \"lanout\": {\n \"type\": \"long\"\n },\n \"lease\": {\n \"type\": \"long\"\n },\n \"license_limit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"limit\": {\n \"type\": \"long\"\n },\n \"line\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"live\": {\n \"type\": \"long\"\n },\n \"local\": {\n \"type\": \"ip\"\n },\n \"log\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"login\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"lowcount\": {\n \"type\": \"long\"\n },\n \"mac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"malform_data\": {\n \"type\": \"long\"\n },\n \"malform_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"manuf\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"masterdstmac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mastersrcmac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mediumcount\": {\n \"type\": \"long\"\n },\n \"mem\": {\n \"type\": \"long\"\n },\n \"meshmode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mgmtcnt\": {\n \"type\": \"long\"\n },\n \"mode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"module\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"monitor-name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"monitor-type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mpsk\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msgproto\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mtu\": {\n \"type\": \"long\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"new_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"new_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"newchannel\": {\n \"type\": \"long\"\n },\n \"newchassisid\": {\n \"type\": \"long\"\n },\n \"newslot\": {\n \"type\": \"long\"\n },\n \"nextstat\": {\n \"type\": \"long\"\n },\n \"nf_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"noise\": {\n \"type\": \"long\"\n },\n \"old_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"old_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"oldchannel\": {\n \"type\": \"long\"\n },\n \"oldchassisid\": {\n \"type\": \"long\"\n },\n \"oldslot\": {\n \"type\": \"long\"\n },\n \"oldsn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"oldwprof\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"onwire\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"opercountry\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"opertxpower\": {\n \"type\": \"long\"\n },\n \"osname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"osversion\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"out_spi\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"outintf\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"passedcount\": {\n \"type\": \"long\"\n },\n \"passwd\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"peer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"peer_notif\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"phase2_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"phone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pid\": {\n \"type\": \"long\"\n },\n \"policytype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"poolname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"port\": {\n \"type\": \"long\"\n },\n \"portbegin\": {\n \"type\": \"long\"\n },\n \"portend\": {\n \"type\": \"long\"\n },\n \"probeproto\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"process\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"processtime\": {\n \"type\": \"long\"\n },\n \"profile\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"profile_vd\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"profilegroup\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"profiletype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"qtypeval\": {\n \"type\": \"long\"\n },\n \"quarskip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"quotaexceeded\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"quotamax\": {\n \"type\": \"long\"\n },\n \"quotatype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"quotaused\": {\n \"type\": \"long\"\n },\n \"radioband\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"radioid\": {\n \"type\": \"long\"\n },\n \"radioidclosest\": {\n \"type\": \"long\"\n },\n \"radioiddetected\": {\n \"type\": \"long\"\n },\n \"rate\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rawdata\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rawdataid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rcvddelta\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"received\": {\n \"type\": \"long\"\n },\n \"receivedsignature\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"red\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"referralurl\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"remote\": {\n \"type\": \"ip\"\n },\n \"remotewtptime\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reporttype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reqtype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"role\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rssi\": {\n \"type\": \"long\"\n },\n \"rsso_key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ruledata\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ruletype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scanned\": {\n \"type\": \"long\"\n },\n \"scantime\": {\n \"type\": \"long\"\n },\n \"scope\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"security\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sensitivity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sensor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sentdelta\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"seq\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"serial\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"serialno\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"server\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sessionid\": {\n \"type\": \"long\"\n },\n \"setuprate\": {\n \"type\": \"long\"\n },\n \"severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"shaperdroprcvdbyte\": {\n \"type\": \"long\"\n },\n \"shaperdropsentbyte\": {\n \"type\": \"long\"\n },\n \"shaperperipdropbyte\": {\n \"type\": \"long\"\n },\n \"shaperperipname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"shaperrcvdname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"shapersentname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"shapingpolicyid\": {\n \"type\": \"long\"\n },\n \"signal\": {\n \"type\": \"long\"\n },\n \"size\": {\n \"type\": \"long\"\n },\n \"slot\": {\n \"type\": \"long\"\n },\n \"sn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"snclosest\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sndetected\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"snmeshparent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"spi\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_int\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srccountry\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srcfamily\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srchwvendor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srchwversion\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srcinetsvc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srcintfrole\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srcname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srcserver\": {\n \"type\": \"long\"\n },\n \"srcssid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srcswversion\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srcuuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sscname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sslaction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssllocal\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sslremote\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"stacount\": {\n \"type\": \"long\"\n },\n \"stage\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"stamac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"stitch\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"submodule\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subservice\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subtype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"suspicious\": {\n \"type\": \"long\"\n },\n \"switchproto\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sync_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sync_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sysuptime\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tamac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threattype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"to_vcluster\": {\n \"type\": \"long\"\n },\n \"total\": {\n \"type\": \"long\"\n },\n \"totalsession\": {\n \"type\": \"long\"\n },\n \"trace_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trandisp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"transid\": {\n \"type\": \"long\"\n },\n \"translationid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trigger\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trueclntip\": {\n \"type\": \"ip\"\n },\n \"tunnelid\": {\n \"type\": \"long\"\n },\n \"tunnelip\": {\n \"type\": \"ip\"\n },\n \"tunneltype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ui\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"unauthusersource\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"unit\": {\n \"type\": \"long\"\n },\n \"urlfilteridx\": {\n \"type\": \"long\"\n },\n \"urlfilterlist\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"urlsource\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"urltype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"used\": {\n \"type\": \"long\"\n },\n \"used_for_type\": {\n \"type\": \"long\"\n },\n \"utmaction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"utmref\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vap\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vapmode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vcluster\": {\n \"type\": \"long\"\n },\n \"vcluster_member\": {\n \"type\": \"long\"\n },\n \"vcluster_state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vd\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vdname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vendorurl\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virus\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virusid\": {\n \"type\": \"long\"\n },\n \"voip_proto\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vpn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vpntunnel\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vpntype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vrf\": {\n \"type\": \"long\"\n },\n \"vulncat\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vulnid\": {\n \"type\": \"long\"\n },\n \"vulnname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vwlid\": {\n \"type\": \"long\"\n },\n \"vwlquality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vwlservice\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vwpvlanid\": {\n \"type\": \"long\"\n },\n \"wanin\": {\n \"type\": \"long\"\n },\n \"wanoptapptype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"wanout\": {\n \"type\": \"long\"\n },\n \"weakwepiv\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"xauthgroup\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"xauthuser\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"xid\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"gcp\": {\n \"type\": \"object\",\n \"properties\": {\n \"audit\": {\n \"type\": \"object\",\n \"properties\": {\n \"authentication_info\": {\n \"type\": \"object\",\n \"properties\": {\n \"authority_selector\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"principal_email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"method_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"num_response_items\": {\n \"type\": \"long\"\n },\n \"request\": {\n \"type\": \"object\",\n \"properties\": {\n \"filter\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"proto_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resource_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"request_metadata\": {\n \"type\": \"object\",\n \"properties\": {\n \"caller_ip\": {\n \"type\": \"ip\"\n },\n \"caller_supplied_user_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"resource_location\": {\n \"type\": \"object\",\n \"properties\": {\n \"current_locations\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"resource_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"response\": {\n \"type\": \"object\",\n \"properties\": {\n \"details\": {\n \"type\": \"object\",\n \"properties\": {\n \"group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"kind\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"proto_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"service_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"type\": \"object\",\n \"properties\": {\n \"code\": {\n \"type\": \"long\"\n },\n \"message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"destination\": {\n \"type\": \"object\",\n \"properties\": {\n \"instance\": {\n \"type\": \"object\",\n \"properties\": {\n \"project_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"vpc\": {\n \"type\": \"object\",\n \"properties\": {\n \"project_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subnetwork_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vpc_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"firewall\": {\n \"type\": \"object\",\n \"properties\": {\n \"rule_details\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destination_range\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"direction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"priority\": {\n \"type\": \"long\"\n },\n \"reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_range\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_service_account\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_tag\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"target_service_account\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"target_tag\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"source\": {\n \"type\": \"object\",\n \"properties\": {\n \"instance\": {\n \"type\": \"object\",\n \"properties\": {\n \"project_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"vpc\": {\n \"type\": \"object\",\n \"properties\": {\n \"project_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subnetwork_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vpc_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"vpcflow\": {\n \"type\": \"object\",\n \"properties\": {\n \"reporter\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rtt\": {\n \"type\": \"object\",\n \"properties\": {\n \"ms\": {\n \"type\": \"long\"\n }\n }\n }\n }\n }\n }\n },\n \"geo\": {\n \"type\": \"object\",\n \"properties\": {\n \"city_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"location\": {\n \"type\": \"geo_point\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"postal_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"google_workspace\": {\n \"type\": \"object\",\n \"properties\": {\n \"actor\": {\n \"type\": \"object\",\n \"properties\": {\n \"key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"admin\": {\n \"type\": \"object\",\n \"properties\": {\n \"alert\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"api\": {\n \"type\": \"object\",\n \"properties\": {\n \"client\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"scopes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"application\": {\n \"type\": \"object\",\n \"properties\": {\n \"asp_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"edition\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"enabled\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"licences_order_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"licences_purchased\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"package_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"bulk_upload\": {\n \"type\": \"object\",\n \"properties\": {\n \"failed\": {\n \"type\": \"long\"\n },\n \"total\": {\n \"type\": \"long\"\n }\n }\n },\n \"chrome_licenses\": {\n \"type\": \"object\",\n \"properties\": {\n \"allowed\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"enabled\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"chrome_os\": {\n \"type\": \"object\",\n \"properties\": {\n \"session_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"device\": {\n \"type\": \"object\",\n \"properties\": {\n \"command_details\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"distribution\": {\n \"type\": \"object\",\n \"properties\": {\n \"entity\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"domain\": {\n \"type\": \"object\",\n \"properties\": {\n \"alias\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"secondary_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"email\": {\n \"type\": \"object\",\n \"properties\": {\n \"log_search_filter\": {\n \"type\": \"object\",\n \"properties\": {\n \"end_date\": {\n \"type\": \"date\"\n },\n \"message_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"recipient\": {\n \"type\": \"object\",\n \"properties\": {\n \"ip\": {\n \"type\": \"ip\"\n },\n \"value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"sender\": {\n \"type\": \"object\",\n \"properties\": {\n \"ip\": {\n \"type\": \"ip\"\n },\n \"value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"start_date\": {\n \"type\": \"date\"\n }\n }\n },\n \"quarantine_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"email_dump\": {\n \"type\": \"object\",\n \"properties\": {\n \"include_deleted\": {\n \"type\": \"boolean\"\n },\n \"package_content\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"email_monitor\": {\n \"type\": \"object\",\n \"properties\": {\n \"dest_email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"level\": {\n \"type\": \"object\",\n \"properties\": {\n \"chat\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"draft\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"incoming\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"outgoing\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"field\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"gateway\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"allowed_list\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"priorities\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"info_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"managed_configuration\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mdm\": {\n \"type\": \"object\",\n \"properties\": {\n \"token\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vendor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"mobile\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"certificate\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"company_owned_devices\": {\n \"type\": \"long\"\n }\n }\n },\n \"new_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"non_featured_services_selection\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"oauth2\": {\n \"type\": \"object\",\n \"properties\": {\n \"application\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"service\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"old_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"org_unit\": {\n \"type\": \"object\",\n \"properties\": {\n \"full\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"print_server\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"printer\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"privilege\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"product\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sku\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"request\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"resource\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"role\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"rule\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"service\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"setting\": {\n \"type\": \"object\",\n \"properties\": {\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"url\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"user\": {\n \"type\": \"object\",\n \"properties\": {\n \"birthdate\": {\n \"type\": \"date\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nickname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"user_defined_setting\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"verification_method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"drive\": {\n \"type\": \"object\",\n \"properties\": {\n \"added_role\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"billable\": {\n \"type\": \"boolean\"\n },\n \"destination_folder_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destination_folder_title\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"owner\": {\n \"type\": \"object\",\n \"properties\": {\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"is_shared_drive\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"membership_change_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"new_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"old_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"old_visibility\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"originating_app_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"primary_event\": {\n \"type\": \"boolean\"\n },\n \"removed_role\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"shared_drive_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"shared_drive_settings_change_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sheets_import_range_recipient_doc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_folder_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_folder_title\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"target\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"target_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"visibility\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"visibility_change\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"event\": {\n \"type\": \"object\",\n \"properties\": {\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"groups\": {\n \"type\": \"object\",\n \"properties\": {\n \"acl_permission\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"member\": {\n \"type\": \"object\",\n \"properties\": {\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"role\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"message\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"moderation_action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"new_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"old_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"setting\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"kind\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"login\": {\n \"type\": \"object\",\n \"properties\": {\n \"affected_email_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"challenge_method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"failure_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"is_second_factor\": {\n \"type\": \"boolean\"\n },\n \"is_suspicious\": {\n \"type\": \"boolean\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"organization\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"saml\": {\n \"type\": \"object\",\n \"properties\": {\n \"application_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"failure_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"initiated_by\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"orgunit_path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"second_level_status_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"haproxy\": {\n \"type\": \"object\",\n \"properties\": {\n \"backend_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"backend_queue\": {\n \"type\": \"long\"\n },\n \"bind_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"bytes_read\": {\n \"type\": \"long\"\n },\n \"connection_wait_time_ms\": {\n \"type\": \"long\"\n },\n \"connections\": {\n \"type\": \"object\",\n \"properties\": {\n \"active\": {\n \"type\": \"long\"\n },\n \"backend\": {\n \"type\": \"long\"\n },\n \"frontend\": {\n \"type\": \"long\"\n },\n \"retries\": {\n \"type\": \"long\"\n },\n \"server\": {\n \"type\": \"long\"\n }\n }\n },\n \"error_message\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"frontend_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http\": {\n \"type\": \"object\",\n \"properties\": {\n \"request\": {\n \"type\": \"object\",\n \"properties\": {\n \"captured_cookie\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"captured_headers\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"raw_request_line\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"time_wait_ms\": {\n \"type\": \"long\"\n },\n \"time_wait_without_data_ms\": {\n \"type\": \"long\"\n }\n }\n },\n \"response\": {\n \"type\": \"object\",\n \"properties\": {\n \"captured_cookie\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"captured_headers\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"mode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"server_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"server_queue\": {\n \"type\": \"long\"\n },\n \"source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tcp\": {\n \"type\": \"object\",\n \"properties\": {\n \"connection_waiting_time_ms\": {\n \"type\": \"long\"\n }\n }\n },\n \"termination_state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"time_backend_connect\": {\n \"type\": \"long\"\n },\n \"time_queue\": {\n \"type\": \"long\"\n },\n \"total_waiting_time_ms\": {\n \"type\": \"long\"\n }\n }\n },\n \"hash\": {\n \"type\": \"object\",\n \"properties\": {\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha512\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssdeep\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"host\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"containerized\": {\n \"type\": \"boolean\"\n },\n \"cpu\": {\n \"type\": \"object\",\n \"properties\": {\n \"usage\": {\n \"scaling_factor\": 1000,\n \"type\": \"scaled_float\"\n }\n }\n },\n \"disk\": {\n \"type\": \"object\",\n \"properties\": {\n \"read\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"type\": \"long\"\n }\n }\n },\n \"write\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"geo\": {\n \"type\": \"object\",\n \"properties\": {\n \"city_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"location\": {\n \"type\": \"geo_point\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"postal_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hostname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"mac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"network\": {\n \"type\": \"object\",\n \"properties\": {\n \"egress\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"type\": \"long\"\n },\n \"packets\": {\n \"type\": \"long\"\n }\n }\n },\n \"ingress\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"type\": \"long\"\n },\n \"packets\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"os\": {\n \"type\": \"object\",\n \"properties\": {\n \"build\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"codename\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"family\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"kernel\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"platform\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uptime\": {\n \"type\": \"long\"\n }\n }\n },\n \"http\": {\n \"type\": \"object\",\n \"properties\": {\n \"request\": {\n \"type\": \"object\",\n \"properties\": {\n \"body\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"type\": \"long\"\n },\n \"content\": {\n \"type\": \"wildcard\"\n }\n }\n },\n \"bytes\": {\n \"type\": \"long\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mime_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"referrer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"response\": {\n \"type\": \"object\",\n \"properties\": {\n \"body\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"type\": \"long\"\n },\n \"content\": {\n \"type\": \"wildcard\"\n }\n }\n },\n \"bytes\": {\n \"type\": \"long\"\n },\n \"mime_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status_code\": {\n \"type\": \"long\"\n }\n }\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"ibmmq\": {\n \"type\": \"object\",\n \"properties\": {\n \"errorlog\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"arithinsert\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"commentinsert\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"errordescription\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"explanation\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"installation\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"qmgr\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"icinga\": {\n \"type\": \"object\",\n \"properties\": {\n \"debug\": {\n \"type\": \"object\",\n \"properties\": {\n \"facility\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"main\": {\n \"type\": \"object\",\n \"properties\": {\n \"facility\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"startup\": {\n \"type\": \"object\",\n \"properties\": {\n \"facility\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"icmp\": {\n \"type\": \"object\",\n \"properties\": {\n \"code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"igmp\": {\n \"type\": \"object\",\n \"properties\": {\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"iis\": {\n \"type\": \"object\",\n \"properties\": {\n \"access\": {\n \"type\": \"object\",\n \"properties\": {\n \"cookie\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"server_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"site_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sub_status\": {\n \"type\": \"long\"\n },\n \"win32_status\": {\n \"type\": \"long\"\n }\n }\n },\n \"error\": {\n \"type\": \"object\",\n \"properties\": {\n \"queue_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reason_phrase\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"input\": {\n \"type\": \"object\",\n \"properties\": {\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"interface\": {\n \"type\": \"object\",\n \"properties\": {\n \"alias\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"iptables\": {\n \"type\": \"object\",\n \"properties\": {\n \"ether_type\": {\n \"type\": \"long\"\n },\n \"flow_label\": {\n \"type\": \"long\"\n },\n \"fragment_flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fragment_offset\": {\n \"type\": \"long\"\n },\n \"icmp\": {\n \"type\": \"object\",\n \"properties\": {\n \"code\": {\n \"type\": \"long\"\n },\n \"id\": {\n \"type\": \"long\"\n },\n \"parameter\": {\n \"type\": \"long\"\n },\n \"redirect\": {\n \"type\": \"ip\"\n },\n \"seq\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"type\": \"long\"\n }\n }\n },\n \"id\": {\n \"type\": \"long\"\n },\n \"incomplete_bytes\": {\n \"type\": \"long\"\n },\n \"input_device\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"length\": {\n \"type\": \"long\"\n },\n \"output_device\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"precedence_bits\": {\n \"type\": \"short\"\n },\n \"tcp\": {\n \"type\": \"object\",\n \"properties\": {\n \"ack\": {\n \"type\": \"long\"\n },\n \"flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reserved_bits\": {\n \"type\": \"short\"\n },\n \"seq\": {\n \"type\": \"long\"\n },\n \"window\": {\n \"type\": \"long\"\n }\n }\n },\n \"tos\": {\n \"type\": \"long\"\n },\n \"ttl\": {\n \"type\": \"long\"\n },\n \"ubiquiti\": {\n \"type\": \"object\",\n \"properties\": {\n \"input_zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"output_zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rule_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rule_set\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"udp\": {\n \"type\": \"object\",\n \"properties\": {\n \"length\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"jolokia\": {\n \"type\": \"object\",\n \"properties\": {\n \"agent\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"secured\": {\n \"type\": \"boolean\"\n },\n \"server\": {\n \"type\": \"object\",\n \"properties\": {\n \"product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vendor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"juniper\": {\n \"type\": \"object\",\n \"properties\": {\n \"srx\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"action_detail\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"alert\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"apbr_rule_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_characteristics\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_sub_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"attack_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_ip\": {\n \"type\": \"ip\"\n },\n \"connection_hit_rate\": {\n \"type\": \"long\"\n },\n \"connection_tag\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"context_hit_rate\": {\n \"type\": \"long\"\n },\n \"context_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"context_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"context_value_hit_rate\": {\n \"type\": \"long\"\n },\n \"ddos_application_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dscp_value\": {\n \"type\": \"long\"\n },\n \"dst_nat_rule_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dst_nat_rule_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dst_vrf_grp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"elapsed_time\": {\n \"type\": \"date\"\n },\n \"encrypted\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"epoch_time\": {\n \"type\": \"date\"\n },\n \"error_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"error_message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"export_id\": {\n \"type\": \"long\"\n },\n \"feed_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_hash_lookup\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filename\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hostname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmp_type\": {\n \"type\": \"long\"\n },\n \"inbound_bytes\": {\n \"type\": \"long\"\n },\n \"inbound_packets\": {\n \"type\": \"long\"\n },\n \"index\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"logical_system_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"malware_info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat_connection_tag\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nested_application\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"obj\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"occur_count\": {\n \"type\": \"long\"\n },\n \"outbound_bytes\": {\n \"type\": \"long\"\n },\n \"outbound_packets\": {\n \"type\": \"long\"\n },\n \"packet_log_id\": {\n \"type\": \"long\"\n },\n \"peer_destination_address\": {\n \"type\": \"ip\"\n },\n \"peer_destination_port\": {\n \"type\": \"long\"\n },\n \"peer_session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"peer_source_address\": {\n \"type\": \"ip\"\n },\n \"peer_source_port\": {\n \"type\": \"long\"\n },\n \"policy_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"process\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"profile\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"profile_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protocol_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protocol_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"repeat_count\": {\n \"type\": \"long\"\n },\n \"roles\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"routing_instance\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rule_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ruleebase_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sample_sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"secure_web_proxy_session_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_id_32\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_nat_rule_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_nat_rule_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_vrf_grp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sub_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tag\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"temporary_filename\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tenant_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"th\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threat_severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"time_count\": {\n \"type\": \"long\"\n },\n \"time_period\": {\n \"type\": \"long\"\n },\n \"time_scope\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uplink_rx_bytes\": {\n \"type\": \"long\"\n },\n \"uplink_tx_bytes\": {\n \"type\": \"long\"\n },\n \"url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"verdict_number\": {\n \"type\": \"long\"\n },\n \"verdict_source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"kafka\": {\n \"type\": \"object\",\n \"properties\": {\n \"block_timestamp\": {\n \"type\": \"date\"\n },\n \"key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log\": {\n \"type\": \"object\",\n \"properties\": {\n \"class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"component\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"thread\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trace\": {\n \"type\": \"object\",\n \"properties\": {\n \"class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n }\n }\n },\n \"offset\": {\n \"type\": \"long\"\n },\n \"partition\": {\n \"type\": \"long\"\n },\n \"topic\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"kibana\": {\n \"type\": \"object\",\n \"properties\": {\n \"add_to_spaces\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authentication_provider\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authentication_realm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authentication_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"delete_from_spaces\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log\": {\n \"type\": \"object\",\n \"properties\": {\n \"meta\": {\n \"type\": \"object\",\n \"properties\": {\n \"req\": {\n \"type\": \"object\",\n \"properties\": {\n \"headers\": {\n \"type\": \"flattened\"\n }\n }\n },\n \"res\": {\n \"type\": \"object\",\n \"properties\": {\n \"headers\": {\n \"type\": \"flattened\"\n }\n }\n }\n }\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"lookup_realm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"saved_object\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"space_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"kubernetes\": {\n \"type\": \"object\",\n \"properties\": {\n \"annotations\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\"\n }\n }\n },\n \"container\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"deployment\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"labels\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\"\n }\n }\n },\n \"namespace\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"node\": {\n \"type\": \"object\",\n \"properties\": {\n \"hostname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"pod\": {\n \"type\": \"object\",\n \"properties\": {\n \"ip\": {\n \"type\": \"ip\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"replicaset\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"selectors\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\"\n }\n }\n },\n \"statefulset\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"labels\": {\n \"type\": \"object\"\n },\n \"log\": {\n \"type\": \"object\",\n \"properties\": {\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"level\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"logger\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"offset\": {\n \"type\": \"long\"\n },\n \"origin\": {\n \"type\": \"object\",\n \"properties\": {\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"line\": {\n \"type\": \"long\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"function\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"source\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"syslog\": {\n \"type\": \"object\",\n \"properties\": {\n \"facility\": {\n \"type\": \"object\",\n \"properties\": {\n \"code\": {\n \"type\": \"long\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"priority\": {\n \"type\": \"long\"\n },\n \"severity\": {\n \"type\": \"object\",\n \"properties\": {\n \"code\": {\n \"type\": \"long\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n },\n \"logstash\": {\n \"type\": \"object\",\n \"properties\": {\n \"log\": {\n \"type\": \"object\",\n \"properties\": {\n \"log_event\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"module\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pipeline_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"thread\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n }\n }\n },\n \"slowlog\": {\n \"type\": \"object\",\n \"properties\": {\n \"event\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n },\n \"module\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"plugin_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"plugin_params\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n },\n \"plugin_params_object\": {\n \"type\": \"object\"\n },\n \"plugin_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"thread\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n },\n \"took_in_millis\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"lumberjack\": {\n \"type\": \"flattened\"\n },\n \"message\": {\n \"type\": \"match_only_text\"\n },\n \"metadata\": {\n \"type\": \"flattened\"\n },\n \"microsoft\": {\n \"type\": \"object\",\n \"properties\": {\n \"defender_atp\": {\n \"type\": \"object\",\n \"properties\": {\n \"assignedTo\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"classification\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"determination\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"evidence\": {\n \"type\": \"object\",\n \"properties\": {\n \"aadUserId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"accountName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"domainName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"entityType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ipAddress\": {\n \"type\": \"ip\"\n },\n \"userPrincipalName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"incidentId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"investigationId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"investigationState\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"lastUpdateTime\": {\n \"type\": \"date\"\n },\n \"rbacGroupName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resolvedTime\": {\n \"type\": \"date\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threatFamilyName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"m365_defender\": {\n \"type\": \"object\",\n \"properties\": {\n \"alerts\": {\n \"type\": \"object\",\n \"properties\": {\n \"actorName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"assignedTo\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"classification\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"creationTime\": {\n \"type\": \"date\"\n },\n \"detectionSource\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"determination\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"devices\": {\n \"type\": \"flattened\"\n },\n \"entities\": {\n \"type\": \"object\",\n \"properties\": {\n \"accountName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"clusterBy\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deliveryAction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deviceId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"entityType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ipAddress\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mailboxAddress\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mailboxDisplayName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"recipient\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"registryHive\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"registryKey\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"registryValueType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"securityGroupId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"securityGroupName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sender\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"incidentId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"investigationId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"investigationState\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"lastUpdatedTime\": {\n \"type\": \"date\"\n },\n \"mitreTechniques\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resolvedTime\": {\n \"type\": \"date\"\n },\n \"severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threatFamilyName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"userSid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"assignedTo\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"classification\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"determination\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"incidentId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"incidentName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"investigationState\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"redirectIncidentId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"misp\": {\n \"type\": \"object\",\n \"properties\": {\n \"attack_pattern\": {\n \"type\": \"object\",\n \"properties\": {\n \"description\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"kill_chain_phases\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"campaign\": {\n \"type\": \"object\",\n \"properties\": {\n \"aliases\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"description\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"first_seen\": {\n \"type\": \"date\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"last_seen\": {\n \"type\": \"date\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"objective\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"course_of_action\": {\n \"type\": \"object\",\n \"properties\": {\n \"description\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"identity\": {\n \"type\": \"object\",\n \"properties\": {\n \"contact_information\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"description\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identity_class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"labels\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sectors\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"intrusion_set\": {\n \"type\": \"object\",\n \"properties\": {\n \"aliases\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"description\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"first_seen\": {\n \"type\": \"date\"\n },\n \"goals\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"last_seen\": {\n \"type\": \"date\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"primary_motivation\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"resource_level\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"secondary_motivations\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n },\n \"malware\": {\n \"type\": \"object\",\n \"properties\": {\n \"description\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"kill_chain_phases\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"labels\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"note\": {\n \"type\": \"object\",\n \"properties\": {\n \"authors\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"object_refs\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"summary\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"observed_data\": {\n \"type\": \"object\",\n \"properties\": {\n \"first_observed\": {\n \"type\": \"date\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"last_observed\": {\n \"type\": \"date\"\n },\n \"number_observed\": {\n \"type\": \"long\"\n },\n \"objects\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"report\": {\n \"type\": \"object\",\n \"properties\": {\n \"description\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"labels\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"object_refs\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"published\": {\n \"type\": \"date\"\n }\n }\n },\n \"threat_actor\": {\n \"type\": \"object\",\n \"properties\": {\n \"aliases\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"description\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"goals\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"labels\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"personal_motivations\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"primary_motivation\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"resource_level\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"roles\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"secondary_motivations\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"sophistication\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n },\n \"threat_indicator\": {\n \"type\": \"object\",\n \"properties\": {\n \"attack_pattern\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"attack_pattern_kql\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"campaign\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"confidence\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"feed\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"intrusion_set\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"kill_chain_phases\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"labels\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_tactic\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mitre_technique\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"negate\": {\n \"type\": \"boolean\"\n },\n \"severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threat_actor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"valid_from\": {\n \"type\": \"date\"\n },\n \"valid_until\": {\n \"type\": \"date\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"tool\": {\n \"type\": \"object\",\n \"properties\": {\n \"description\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"kill_chain_phases\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"labels\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tool_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"vulnerability\": {\n \"type\": \"object\",\n \"properties\": {\n \"description\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"mongodb\": {\n \"type\": \"object\",\n \"properties\": {\n \"log\": {\n \"type\": \"object\",\n \"properties\": {\n \"component\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"context\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"mssql\": {\n \"type\": \"object\",\n \"properties\": {\n \"log\": {\n \"type\": \"object\",\n \"properties\": {\n \"origin\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"mysql\": {\n \"type\": \"object\",\n \"properties\": {\n \"slowlog\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes_received\": {\n \"type\": \"long\"\n },\n \"bytes_sent\": {\n \"type\": \"long\"\n },\n \"current_user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filesort\": {\n \"type\": \"boolean\"\n },\n \"filesort_on_disk\": {\n \"type\": \"boolean\"\n },\n \"full_join\": {\n \"type\": \"boolean\"\n },\n \"full_scan\": {\n \"type\": \"boolean\"\n },\n \"innodb\": {\n \"type\": \"object\",\n \"properties\": {\n \"io_r_bytes\": {\n \"type\": \"long\"\n },\n \"io_r_ops\": {\n \"type\": \"long\"\n },\n \"io_r_wait\": {\n \"type\": \"object\",\n \"properties\": {\n \"sec\": {\n \"type\": \"long\"\n }\n }\n },\n \"pages_distinct\": {\n \"type\": \"long\"\n },\n \"queue_wait\": {\n \"type\": \"object\",\n \"properties\": {\n \"sec\": {\n \"type\": \"long\"\n }\n }\n },\n \"rec_lock_wait\": {\n \"type\": \"object\",\n \"properties\": {\n \"sec\": {\n \"type\": \"long\"\n }\n }\n },\n \"trx_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"killed\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"last_errno\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"lock_time\": {\n \"type\": \"object\",\n \"properties\": {\n \"sec\": {\n \"type\": \"float\"\n }\n }\n },\n \"log_slow_rate_limit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_slow_rate_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"merge_passes\": {\n \"type\": \"long\"\n },\n \"priority_queue\": {\n \"type\": \"boolean\"\n },\n \"query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"query_cache_hit\": {\n \"type\": \"boolean\"\n },\n \"read_first\": {\n \"type\": \"long\"\n },\n \"read_key\": {\n \"type\": \"long\"\n },\n \"read_last\": {\n \"type\": \"long\"\n },\n \"read_next\": {\n \"type\": \"long\"\n },\n \"read_prev\": {\n \"type\": \"long\"\n },\n \"read_rnd\": {\n \"type\": \"long\"\n },\n \"read_rnd_next\": {\n \"type\": \"long\"\n },\n \"rows_affected\": {\n \"type\": \"long\"\n },\n \"rows_examined\": {\n \"type\": \"long\"\n },\n \"rows_sent\": {\n \"type\": \"long\"\n },\n \"schema\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sort_merge_passes\": {\n \"type\": \"long\"\n },\n \"sort_range_count\": {\n \"type\": \"long\"\n },\n \"sort_rows\": {\n \"type\": \"long\"\n },\n \"sort_scan_count\": {\n \"type\": \"long\"\n },\n \"tmp_disk_tables\": {\n \"type\": \"long\"\n },\n \"tmp_table\": {\n \"type\": \"boolean\"\n },\n \"tmp_table_on_disk\": {\n \"type\": \"boolean\"\n },\n \"tmp_table_sizes\": {\n \"type\": \"long\"\n },\n \"tmp_tables\": {\n \"type\": \"long\"\n }\n }\n },\n \"thread_id\": {\n \"type\": \"long\"\n }\n }\n },\n \"mysqlenterprise\": {\n \"type\": \"object\",\n \"properties\": {\n \"audit\": {\n \"type\": \"object\",\n \"properties\": {\n \"account\": {\n \"type\": \"object\",\n \"properties\": {\n \"host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connection_data\": {\n \"type\": \"object\",\n \"properties\": {\n \"connection_attributes\": {\n \"type\": \"flattened\"\n },\n \"connection_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"db\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"type\": \"long\"\n }\n }\n },\n \"connection_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"general_data\": {\n \"type\": \"object\",\n \"properties\": {\n \"command\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sql_command\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"type\": \"long\"\n }\n }\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"login\": {\n \"type\": \"object\",\n \"properties\": {\n \"os\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"proxy\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"shutdown_data\": {\n \"type\": \"object\",\n \"properties\": {\n \"server_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"startup_data\": {\n \"type\": \"object\",\n \"properties\": {\n \"mysql_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"server_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"table_access_data\": {\n \"type\": \"object\",\n \"properties\": {\n \"db\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sql_command\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"table\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n },\n \"nats\": {\n \"type\": \"object\",\n \"properties\": {\n \"log\": {\n \"type\": \"object\",\n \"properties\": {\n \"client\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"type\": \"long\"\n }\n }\n },\n \"msg\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"type\": \"long\"\n },\n \"error\": {\n \"type\": \"object\",\n \"properties\": {\n \"message\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n },\n \"max_messages\": {\n \"type\": \"long\"\n },\n \"queue_group\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"reply_to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sid\": {\n \"type\": \"long\"\n },\n \"subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n },\n \"netflow\": {\n \"type\": \"object\",\n \"properties\": {\n \"absolute_error\": {\n \"type\": \"double\"\n },\n \"address_pool_high_threshold\": {\n \"type\": \"long\"\n },\n \"address_pool_low_threshold\": {\n \"type\": \"long\"\n },\n \"address_port_mapping_high_threshold\": {\n \"type\": \"long\"\n },\n \"address_port_mapping_low_threshold\": {\n \"type\": \"long\"\n },\n \"address_port_mapping_per_user_high_threshold\": {\n \"type\": \"long\"\n },\n \"afc_protocol\": {\n \"type\": \"long\"\n },\n \"afc_protocol_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"anonymization_flags\": {\n \"type\": \"long\"\n },\n \"anonymization_technique\": {\n \"type\": \"long\"\n },\n \"application_business-relevance\": {\n \"type\": \"long\"\n },\n \"application_category_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_group_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_http_uri_statistics\": {\n \"type\": \"short\"\n },\n \"application_http_user-agent\": {\n \"type\": \"short\"\n },\n \"application_id\": {\n \"type\": \"short\"\n },\n \"application_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_sub_category_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_traffic-class\": {\n \"type\": \"long\"\n },\n \"art_client_network_time_maximum\": {\n \"type\": \"long\"\n },\n \"art_client_network_time_minimum\": {\n \"type\": \"long\"\n },\n \"art_client_network_time_sum\": {\n \"type\": \"long\"\n },\n \"art_clientpackets\": {\n \"type\": \"long\"\n },\n \"art_count_late_responses\": {\n \"type\": \"long\"\n },\n \"art_count_new_connections\": {\n \"type\": \"long\"\n },\n \"art_count_responses\": {\n \"type\": \"long\"\n },\n \"art_count_responses_histogram_bucket1\": {\n \"type\": \"long\"\n },\n \"art_count_responses_histogram_bucket2\": {\n \"type\": \"long\"\n },\n \"art_count_responses_histogram_bucket3\": {\n \"type\": \"long\"\n },\n \"art_count_responses_histogram_bucket4\": {\n \"type\": \"long\"\n },\n \"art_count_responses_histogram_bucket5\": {\n \"type\": \"long\"\n },\n \"art_count_responses_histogram_bucket6\": {\n \"type\": \"long\"\n },\n \"art_count_responses_histogram_bucket7\": {\n \"type\": \"long\"\n },\n \"art_count_retransmissions\": {\n \"type\": \"long\"\n },\n \"art_count_transactions\": {\n \"type\": \"long\"\n },\n \"art_network_time_maximum\": {\n \"type\": \"long\"\n },\n \"art_network_time_minimum\": {\n \"type\": \"long\"\n },\n \"art_network_time_sum\": {\n \"type\": \"long\"\n },\n \"art_response_time_maximum\": {\n \"type\": \"long\"\n },\n \"art_response_time_minimum\": {\n \"type\": \"long\"\n },\n \"art_response_time_sum\": {\n \"type\": \"long\"\n },\n \"art_server_network_time_maximum\": {\n \"type\": \"long\"\n },\n \"art_server_network_time_minimum\": {\n \"type\": \"long\"\n },\n \"art_server_network_time_sum\": {\n \"type\": \"long\"\n },\n \"art_server_response_time_maximum\": {\n \"type\": \"long\"\n },\n \"art_server_response_time_minimum\": {\n \"type\": \"long\"\n },\n \"art_server_response_time_sum\": {\n \"type\": \"long\"\n },\n \"art_serverpackets\": {\n \"type\": \"long\"\n },\n \"art_total_response_time_maximum\": {\n \"type\": \"long\"\n },\n \"art_total_response_time_minimum\": {\n \"type\": \"long\"\n },\n \"art_total_response_time_sum\": {\n \"type\": \"long\"\n },\n \"art_total_transaction_time_maximum\": {\n \"type\": \"long\"\n },\n \"art_total_transaction_time_minimum\": {\n \"type\": \"long\"\n },\n \"art_total_transaction_time_sum\": {\n \"type\": \"long\"\n },\n \"assembled_fragment_count\": {\n \"type\": \"long\"\n },\n \"audit_counter\": {\n \"type\": \"long\"\n },\n \"average_interarrival_time\": {\n \"type\": \"long\"\n },\n \"bgp_destination_as_number\": {\n \"type\": \"long\"\n },\n \"bgp_next_adjacent_as_number\": {\n \"type\": \"long\"\n },\n \"bgp_next_hop_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"bgp_next_hop_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"bgp_prev_adjacent_as_number\": {\n \"type\": \"long\"\n },\n \"bgp_source_as_number\": {\n \"type\": \"long\"\n },\n \"bgp_validity_state\": {\n \"type\": \"short\"\n },\n \"biflow_direction\": {\n \"type\": \"short\"\n },\n \"bind_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"bind_transport_port\": {\n \"type\": \"long\"\n },\n \"class_id\": {\n \"type\": \"long\"\n },\n \"class_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"classification_engine_id\": {\n \"type\": \"short\"\n },\n \"collection_time_milliseconds\": {\n \"type\": \"date\"\n },\n \"collector_certificate\": {\n \"type\": \"short\"\n },\n \"collector_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"collector_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"collector_transport_port\": {\n \"type\": \"long\"\n },\n \"common_properties_id\": {\n \"type\": \"long\"\n },\n \"confidence_level\": {\n \"type\": \"double\"\n },\n \"conn_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"conn_transport_port\": {\n \"type\": \"long\"\n },\n \"connection_sum_duration_seconds\": {\n \"type\": \"long\"\n },\n \"connection_transaction_id\": {\n \"type\": \"long\"\n },\n \"conntrack_id\": {\n \"type\": \"long\"\n },\n \"data_byte_count\": {\n \"type\": \"long\"\n },\n \"data_link_frame_section\": {\n \"type\": \"short\"\n },\n \"data_link_frame_size\": {\n \"type\": \"long\"\n },\n \"data_link_frame_type\": {\n \"type\": \"long\"\n },\n \"data_records_reliability\": {\n \"type\": \"boolean\"\n },\n \"delta_flow_count\": {\n \"type\": \"long\"\n },\n \"destination_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"destination_ipv4_prefix\": {\n \"type\": \"ip\"\n },\n \"destination_ipv4_prefix_length\": {\n \"type\": \"short\"\n },\n \"destination_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"destination_ipv6_prefix\": {\n \"type\": \"ip\"\n },\n \"destination_ipv6_prefix_length\": {\n \"type\": \"short\"\n },\n \"destination_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destination_transport_port\": {\n \"type\": \"long\"\n },\n \"digest_hash_value\": {\n \"type\": \"long\"\n },\n \"distinct_count_of_destination_ip_address\": {\n \"type\": \"long\"\n },\n \"distinct_count_of_destination_ipv4_address\": {\n \"type\": \"long\"\n },\n \"distinct_count_of_destination_ipv6_address\": {\n \"type\": \"long\"\n },\n \"distinct_count_of_source_ip_address\": {\n \"type\": \"long\"\n },\n \"distinct_count_of_source_ipv4_address\": {\n \"type\": \"long\"\n },\n \"distinct_count_of_source_ipv6_address\": {\n \"type\": \"long\"\n },\n \"dns_authoritative\": {\n \"type\": \"short\"\n },\n \"dns_cname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_id\": {\n \"type\": \"long\"\n },\n \"dns_mx_exchange\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_mx_preference\": {\n \"type\": \"long\"\n },\n \"dns_nsd_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_nx_domain\": {\n \"type\": \"short\"\n },\n \"dns_ptrd_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_qname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_qr_type\": {\n \"type\": \"long\"\n },\n \"dns_query_response\": {\n \"type\": \"short\"\n },\n \"dns_rr_section\": {\n \"type\": \"short\"\n },\n \"dns_soa_expire\": {\n \"type\": \"long\"\n },\n \"dns_soa_minimum\": {\n \"type\": \"long\"\n },\n \"dns_soa_refresh\": {\n \"type\": \"long\"\n },\n \"dns_soa_retry\": {\n \"type\": \"long\"\n },\n \"dns_soa_serial\": {\n \"type\": \"long\"\n },\n \"dns_soam_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_soar_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_srv_port\": {\n \"type\": \"long\"\n },\n \"dns_srv_priority\": {\n \"type\": \"long\"\n },\n \"dns_srv_target\": {\n \"type\": \"long\"\n },\n \"dns_srv_weight\": {\n \"type\": \"long\"\n },\n \"dns_ttl\": {\n \"type\": \"long\"\n },\n \"dns_txt_data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dot1q_customer_dei\": {\n \"type\": \"boolean\"\n },\n \"dot1q_customer_destination_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dot1q_customer_priority\": {\n \"type\": \"short\"\n },\n \"dot1q_customer_source_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dot1q_customer_vlan_id\": {\n \"type\": \"long\"\n },\n \"dot1q_dei\": {\n \"type\": \"boolean\"\n },\n \"dot1q_priority\": {\n \"type\": \"short\"\n },\n \"dot1q_service_instance_id\": {\n \"type\": \"long\"\n },\n \"dot1q_service_instance_priority\": {\n \"type\": \"short\"\n },\n \"dot1q_service_instance_tag\": {\n \"type\": \"short\"\n },\n \"dot1q_vlan_id\": {\n \"type\": \"long\"\n },\n \"dropped_layer2_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"dropped_layer2_octet_total_count\": {\n \"type\": \"long\"\n },\n \"dropped_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"dropped_octet_total_count\": {\n \"type\": \"long\"\n },\n \"dropped_packet_delta_count\": {\n \"type\": \"long\"\n },\n \"dropped_packet_total_count\": {\n \"type\": \"long\"\n },\n \"dst_traffic_index\": {\n \"type\": \"long\"\n },\n \"egress_broadcast_packet_total_count\": {\n \"type\": \"long\"\n },\n \"egress_interface\": {\n \"type\": \"long\"\n },\n \"egress_interface_type\": {\n \"type\": \"long\"\n },\n \"egress_physical_interface\": {\n \"type\": \"long\"\n },\n \"egress_unicast_packet_total_count\": {\n \"type\": \"long\"\n },\n \"egress_vrfid\": {\n \"type\": \"long\"\n },\n \"encrypted_technology\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"engine_id\": {\n \"type\": \"short\"\n },\n \"engine_type\": {\n \"type\": \"short\"\n },\n \"ethernet_header_length\": {\n \"type\": \"short\"\n },\n \"ethernet_payload_length\": {\n \"type\": \"long\"\n },\n \"ethernet_total_length\": {\n \"type\": \"long\"\n },\n \"ethernet_type\": {\n \"type\": \"long\"\n },\n \"expired_fragment_count\": {\n \"type\": \"long\"\n },\n \"export_interface\": {\n \"type\": \"long\"\n },\n \"export_protocol_version\": {\n \"type\": \"short\"\n },\n \"export_sctp_stream_id\": {\n \"type\": \"long\"\n },\n \"export_transport_protocol\": {\n \"type\": \"short\"\n },\n \"exported_flow_record_total_count\": {\n \"type\": \"long\"\n },\n \"exported_message_total_count\": {\n \"type\": \"long\"\n },\n \"exported_octet_total_count\": {\n \"type\": \"long\"\n },\n \"exporter\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_id\": {\n \"type\": \"long\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n },\n \"uptime_millis\": {\n \"type\": \"long\"\n },\n \"version\": {\n \"type\": \"long\"\n }\n }\n },\n \"exporter_certificate\": {\n \"type\": \"short\"\n },\n \"exporter_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"exporter_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"exporter_transport_port\": {\n \"type\": \"long\"\n },\n \"exporting_process_id\": {\n \"type\": \"long\"\n },\n \"external_address_realm\": {\n \"type\": \"short\"\n },\n \"firewall_event\": {\n \"type\": \"short\"\n },\n \"first_eight_non_empty_packet_directions\": {\n \"type\": \"short\"\n },\n \"first_non_empty_packet_size\": {\n \"type\": \"long\"\n },\n \"first_packet_banner\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"flags_and_sampler_id\": {\n \"type\": \"long\"\n },\n \"flow_active_timeout\": {\n \"type\": \"long\"\n },\n \"flow_attributes\": {\n \"type\": \"long\"\n },\n \"flow_direction\": {\n \"type\": \"short\"\n },\n \"flow_duration_microseconds\": {\n \"type\": \"long\"\n },\n \"flow_duration_milliseconds\": {\n \"type\": \"long\"\n },\n \"flow_end_delta_microseconds\": {\n \"type\": \"long\"\n },\n \"flow_end_microseconds\": {\n \"type\": \"date\"\n },\n \"flow_end_milliseconds\": {\n \"type\": \"date\"\n },\n \"flow_end_nanoseconds\": {\n \"type\": \"date\"\n },\n \"flow_end_reason\": {\n \"type\": \"short\"\n },\n \"flow_end_seconds\": {\n \"type\": \"date\"\n },\n \"flow_end_sys_up_time\": {\n \"type\": \"long\"\n },\n \"flow_id\": {\n \"type\": \"long\"\n },\n \"flow_idle_timeout\": {\n \"type\": \"long\"\n },\n \"flow_key_indicator\": {\n \"type\": \"long\"\n },\n \"flow_label_ipv6\": {\n \"type\": \"long\"\n },\n \"flow_sampling_time_interval\": {\n \"type\": \"long\"\n },\n \"flow_sampling_time_spacing\": {\n \"type\": \"long\"\n },\n \"flow_selected_flow_delta_count\": {\n \"type\": \"long\"\n },\n \"flow_selected_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"flow_selected_packet_delta_count\": {\n \"type\": \"long\"\n },\n \"flow_selector_algorithm\": {\n \"type\": \"long\"\n },\n \"flow_start_delta_microseconds\": {\n \"type\": \"long\"\n },\n \"flow_start_microseconds\": {\n \"type\": \"date\"\n },\n \"flow_start_milliseconds\": {\n \"type\": \"date\"\n },\n \"flow_start_nanoseconds\": {\n \"type\": \"date\"\n },\n \"flow_start_seconds\": {\n \"type\": \"date\"\n },\n \"flow_start_sys_up_time\": {\n \"type\": \"long\"\n },\n \"flow_table_flush_event_count\": {\n \"type\": \"long\"\n },\n \"flow_table_peak_count\": {\n \"type\": \"long\"\n },\n \"forwarding_status\": {\n \"type\": \"short\"\n },\n \"fragment_flags\": {\n \"type\": \"short\"\n },\n \"fragment_identification\": {\n \"type\": \"long\"\n },\n \"fragment_offset\": {\n \"type\": \"long\"\n },\n \"fw_blackout_secs\": {\n \"type\": \"long\"\n },\n \"fw_configured_value\": {\n \"type\": \"long\"\n },\n \"fw_cts_src_sgt\": {\n \"type\": \"long\"\n },\n \"fw_event_level\": {\n \"type\": \"long\"\n },\n \"fw_event_level_id\": {\n \"type\": \"long\"\n },\n \"fw_ext_event\": {\n \"type\": \"long\"\n },\n \"fw_ext_event_alt\": {\n \"type\": \"long\"\n },\n \"fw_ext_event_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fw_half_open_count\": {\n \"type\": \"long\"\n },\n \"fw_half_open_high\": {\n \"type\": \"long\"\n },\n \"fw_half_open_rate\": {\n \"type\": \"long\"\n },\n \"fw_max_sessions\": {\n \"type\": \"long\"\n },\n \"fw_rule\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fw_summary_pkt_count\": {\n \"type\": \"long\"\n },\n \"fw_zone_pair_id\": {\n \"type\": \"long\"\n },\n \"fw_zone_pair_name\": {\n \"type\": \"long\"\n },\n \"global_address_mapping_high_threshold\": {\n \"type\": \"long\"\n },\n \"gre_key\": {\n \"type\": \"long\"\n },\n \"hash_digest_output\": {\n \"type\": \"boolean\"\n },\n \"hash_flow_domain\": {\n \"type\": \"long\"\n },\n \"hash_initialiser_value\": {\n \"type\": \"long\"\n },\n \"hash_ip_payload_offset\": {\n \"type\": \"long\"\n },\n \"hash_ip_payload_size\": {\n \"type\": \"long\"\n },\n \"hash_output_range_max\": {\n \"type\": \"long\"\n },\n \"hash_output_range_min\": {\n \"type\": \"long\"\n },\n \"hash_selected_range_max\": {\n \"type\": \"long\"\n },\n \"hash_selected_range_min\": {\n \"type\": \"long\"\n },\n \"http_content_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http_message_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http_reason_phrase\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http_request_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http_request_method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http_request_target\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http_status_code\": {\n \"type\": \"long\"\n },\n \"http_user_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmp_code_ipv4\": {\n \"type\": \"short\"\n },\n \"icmp_code_ipv6\": {\n \"type\": \"short\"\n },\n \"icmp_type_code_ipv4\": {\n \"type\": \"long\"\n },\n \"icmp_type_code_ipv6\": {\n \"type\": \"long\"\n },\n \"icmp_type_ipv4\": {\n \"type\": \"short\"\n },\n \"icmp_type_ipv6\": {\n \"type\": \"short\"\n },\n \"igmp_type\": {\n \"type\": \"short\"\n },\n \"ignored_data_record_total_count\": {\n \"type\": \"long\"\n },\n \"ignored_layer2_frame_total_count\": {\n \"type\": \"long\"\n },\n \"ignored_layer2_octet_total_count\": {\n \"type\": \"long\"\n },\n \"ignored_octet_total_count\": {\n \"type\": \"long\"\n },\n \"ignored_packet_total_count\": {\n \"type\": \"long\"\n },\n \"information_element_data_type\": {\n \"type\": \"short\"\n },\n \"information_element_description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"information_element_id\": {\n \"type\": \"long\"\n },\n \"information_element_index\": {\n \"type\": \"long\"\n },\n \"information_element_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"information_element_range_begin\": {\n \"type\": \"long\"\n },\n \"information_element_range_end\": {\n \"type\": \"long\"\n },\n \"information_element_semantics\": {\n \"type\": \"short\"\n },\n \"information_element_units\": {\n \"type\": \"long\"\n },\n \"ingress_broadcast_packet_total_count\": {\n \"type\": \"long\"\n },\n \"ingress_interface\": {\n \"type\": \"long\"\n },\n \"ingress_interface_type\": {\n \"type\": \"long\"\n },\n \"ingress_multicast_packet_total_count\": {\n \"type\": \"long\"\n },\n \"ingress_physical_interface\": {\n \"type\": \"long\"\n },\n \"ingress_unicast_packet_total_count\": {\n \"type\": \"long\"\n },\n \"ingress_vrfid\": {\n \"type\": \"long\"\n },\n \"initial_tcp_flags\": {\n \"type\": \"short\"\n },\n \"initiator_octets\": {\n \"type\": \"long\"\n },\n \"initiator_packets\": {\n \"type\": \"long\"\n },\n \"interface_description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"interface_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"intermediate_process_id\": {\n \"type\": \"long\"\n },\n \"internal_address_realm\": {\n \"type\": \"short\"\n },\n \"ip_class_of_service\": {\n \"type\": \"short\"\n },\n \"ip_diff_serv_code_point\": {\n \"type\": \"short\"\n },\n \"ip_header_length\": {\n \"type\": \"short\"\n },\n \"ip_header_packet_section\": {\n \"type\": \"short\"\n },\n \"ip_next_hop_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"ip_next_hop_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"ip_payload_length\": {\n \"type\": \"long\"\n },\n \"ip_payload_packet_section\": {\n \"type\": \"short\"\n },\n \"ip_precedence\": {\n \"type\": \"short\"\n },\n \"ip_sec_spi\": {\n \"type\": \"long\"\n },\n \"ip_total_length\": {\n \"type\": \"long\"\n },\n \"ip_ttl\": {\n \"type\": \"short\"\n },\n \"ip_version\": {\n \"type\": \"short\"\n },\n \"ipv4_ihl\": {\n \"type\": \"short\"\n },\n \"ipv4_options\": {\n \"type\": \"long\"\n },\n \"ipv4_router_sc\": {\n \"type\": \"ip\"\n },\n \"ipv6_extension_headers\": {\n \"type\": \"long\"\n },\n \"is_multicast\": {\n \"type\": \"short\"\n },\n \"ixia_browser_id\": {\n \"type\": \"short\"\n },\n \"ixia_browser_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_device_id\": {\n \"type\": \"short\"\n },\n \"ixia_device_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_dns_answer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_dns_classes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_dns_query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_dns_record_txt\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_dst_as_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_dst_city_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_dst_country_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_dst_country_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_dst_latitude\": {\n \"type\": \"float\"\n },\n \"ixia_dst_longitude\": {\n \"type\": \"float\"\n },\n \"ixia_dst_region_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_dst_region_node\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_encrypt_cipher\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_encrypt_key_length\": {\n \"type\": \"long\"\n },\n \"ixia_encrypt_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_http_host_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_http_uri\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_http_user_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_imsi_subscriber\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_l7_app_id\": {\n \"type\": \"long\"\n },\n \"ixia_l7_app_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_latency\": {\n \"type\": \"long\"\n },\n \"ixia_rev_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"ixia_rev_packet_delta_count\": {\n \"type\": \"long\"\n },\n \"ixia_src_as_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_src_city_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_src_country_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_src_country_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_src_latitude\": {\n \"type\": \"float\"\n },\n \"ixia_src_longitude\": {\n \"type\": \"float\"\n },\n \"ixia_src_region_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_src_region_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ixia_threat_ipv4\": {\n \"type\": \"ip\"\n },\n \"ixia_threat_ipv6\": {\n \"type\": \"ip\"\n },\n \"ixia_threat_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"large_packet_count\": {\n \"type\": \"long\"\n },\n \"layer2_frame_delta_count\": {\n \"type\": \"long\"\n },\n \"layer2_frame_total_count\": {\n \"type\": \"long\"\n },\n \"layer2_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"layer2_octet_delta_sum_of_squares\": {\n \"type\": \"long\"\n },\n \"layer2_octet_total_count\": {\n \"type\": \"long\"\n },\n \"layer2_octet_total_sum_of_squares\": {\n \"type\": \"long\"\n },\n \"layer2_segment_id\": {\n \"type\": \"long\"\n },\n \"layer2packet_section_data\": {\n \"type\": \"short\"\n },\n \"layer2packet_section_offset\": {\n \"type\": \"long\"\n },\n \"layer2packet_section_size\": {\n \"type\": \"long\"\n },\n \"line_card_id\": {\n \"type\": \"long\"\n },\n \"log_op\": {\n \"type\": \"short\"\n },\n \"lower_ci_limit\": {\n \"type\": \"double\"\n },\n \"mark\": {\n \"type\": \"long\"\n },\n \"max_bib_entries\": {\n \"type\": \"long\"\n },\n \"max_entries_per_user\": {\n \"type\": \"long\"\n },\n \"max_export_seconds\": {\n \"type\": \"date\"\n },\n \"max_flow_end_microseconds\": {\n \"type\": \"date\"\n },\n \"max_flow_end_milliseconds\": {\n \"type\": \"date\"\n },\n \"max_flow_end_nanoseconds\": {\n \"type\": \"date\"\n },\n \"max_flow_end_seconds\": {\n \"type\": \"date\"\n },\n \"max_fragments_pending_reassembly\": {\n \"type\": \"long\"\n },\n \"max_packet_size\": {\n \"type\": \"long\"\n },\n \"max_session_entries\": {\n \"type\": \"long\"\n },\n \"max_subscribers\": {\n \"type\": \"long\"\n },\n \"maximum_ip_total_length\": {\n \"type\": \"long\"\n },\n \"maximum_layer2_total_length\": {\n \"type\": \"long\"\n },\n \"maximum_ttl\": {\n \"type\": \"short\"\n },\n \"mean_flow_rate\": {\n \"type\": \"long\"\n },\n \"mean_packet_rate\": {\n \"type\": \"long\"\n },\n \"message_md5_checksum\": {\n \"type\": \"short\"\n },\n \"message_scope\": {\n \"type\": \"short\"\n },\n \"metering_process_id\": {\n \"type\": \"long\"\n },\n \"metro_evc_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"metro_evc_type\": {\n \"type\": \"short\"\n },\n \"mib_capture_time_semantics\": {\n \"type\": \"short\"\n },\n \"mib_context_engine_id\": {\n \"type\": \"short\"\n },\n \"mib_context_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mib_index_indicator\": {\n \"type\": \"long\"\n },\n \"mib_module_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mib_object_description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mib_object_identifier\": {\n \"type\": \"short\"\n },\n \"mib_object_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mib_object_syntax\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mib_object_value_bits\": {\n \"type\": \"short\"\n },\n \"mib_object_value_counter\": {\n \"type\": \"long\"\n },\n \"mib_object_value_gauge\": {\n \"type\": \"long\"\n },\n \"mib_object_value_integer\": {\n \"type\": \"long\"\n },\n \"mib_object_value_ip_address\": {\n \"type\": \"ip\"\n },\n \"mib_object_value_octet_string\": {\n \"type\": \"short\"\n },\n \"mib_object_value_oid\": {\n \"type\": \"short\"\n },\n \"mib_object_value_time_ticks\": {\n \"type\": \"long\"\n },\n \"mib_object_value_unsigned\": {\n \"type\": \"long\"\n },\n \"mib_sub_identifier\": {\n \"type\": \"long\"\n },\n \"min_export_seconds\": {\n \"type\": \"date\"\n },\n \"min_flow_start_microseconds\": {\n \"type\": \"date\"\n },\n \"min_flow_start_milliseconds\": {\n \"type\": \"date\"\n },\n \"min_flow_start_nanoseconds\": {\n \"type\": \"date\"\n },\n \"min_flow_start_seconds\": {\n \"type\": \"date\"\n },\n \"minimum_ip_total_length\": {\n \"type\": \"long\"\n },\n \"minimum_layer2_total_length\": {\n \"type\": \"long\"\n },\n \"minimum_ttl\": {\n \"type\": \"short\"\n },\n \"mobile_imsi\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mobile_msisdn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"monitoring_interval_end_milli_seconds\": {\n \"type\": \"date\"\n },\n \"monitoring_interval_start_milli_seconds\": {\n \"type\": \"date\"\n },\n \"mpls_label_stack_depth\": {\n \"type\": \"long\"\n },\n \"mpls_label_stack_length\": {\n \"type\": \"long\"\n },\n \"mpls_label_stack_section\": {\n \"type\": \"short\"\n },\n \"mpls_label_stack_section10\": {\n \"type\": \"short\"\n },\n \"mpls_label_stack_section2\": {\n \"type\": \"short\"\n },\n \"mpls_label_stack_section3\": {\n \"type\": \"short\"\n },\n \"mpls_label_stack_section4\": {\n \"type\": \"short\"\n },\n \"mpls_label_stack_section5\": {\n \"type\": \"short\"\n },\n \"mpls_label_stack_section6\": {\n \"type\": \"short\"\n },\n \"mpls_label_stack_section7\": {\n \"type\": \"short\"\n },\n \"mpls_label_stack_section8\": {\n \"type\": \"short\"\n },\n \"mpls_label_stack_section9\": {\n \"type\": \"short\"\n },\n \"mpls_payload_length\": {\n \"type\": \"long\"\n },\n \"mpls_payload_packet_section\": {\n \"type\": \"short\"\n },\n \"mpls_top_label_exp\": {\n \"type\": \"short\"\n },\n \"mpls_top_label_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"mpls_top_label_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"mpls_top_label_prefix_length\": {\n \"type\": \"short\"\n },\n \"mpls_top_label_stack_section\": {\n \"type\": \"short\"\n },\n \"mpls_top_label_ttl\": {\n \"type\": \"short\"\n },\n \"mpls_top_label_type\": {\n \"type\": \"short\"\n },\n \"mpls_vpn_route_distinguisher\": {\n \"type\": \"short\"\n },\n \"mptcp_address_id\": {\n \"type\": \"short\"\n },\n \"mptcp_flags\": {\n \"type\": \"short\"\n },\n \"mptcp_initial_data_sequence_number\": {\n \"type\": \"long\"\n },\n \"mptcp_maximum_segment_size\": {\n \"type\": \"long\"\n },\n \"mptcp_receiver_token\": {\n \"type\": \"long\"\n },\n \"multicast_replication_factor\": {\n \"type\": \"long\"\n },\n \"nat_event\": {\n \"type\": \"short\"\n },\n \"nat_inside_svcid\": {\n \"type\": \"long\"\n },\n \"nat_instance_id\": {\n \"type\": \"long\"\n },\n \"nat_originating_address_realm\": {\n \"type\": \"short\"\n },\n \"nat_outside_svcid\": {\n \"type\": \"long\"\n },\n \"nat_pool_id\": {\n \"type\": \"long\"\n },\n \"nat_pool_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat_quota_exceeded_event\": {\n \"type\": \"long\"\n },\n \"nat_sub_string\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat_threshold_event\": {\n \"type\": \"long\"\n },\n \"nat_type\": {\n \"type\": \"short\"\n },\n \"netscale_ica_client_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_aaa_username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_app_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_app_name_app_id\": {\n \"type\": \"long\"\n },\n \"netscaler_app_name_incarnation_number\": {\n \"type\": \"long\"\n },\n \"netscaler_app_template_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_app_unit_name_app_id\": {\n \"type\": \"long\"\n },\n \"netscaler_application_startup_duration\": {\n \"type\": \"long\"\n },\n \"netscaler_application_startup_time\": {\n \"type\": \"long\"\n },\n \"netscaler_cache_redir_client_connection_core_id\": {\n \"type\": \"long\"\n },\n \"netscaler_cache_redir_client_connection_transaction_id\": {\n \"type\": \"long\"\n },\n \"netscaler_client_rtt\": {\n \"type\": \"long\"\n },\n \"netscaler_connection_chain_hop_count\": {\n \"type\": \"long\"\n },\n \"netscaler_connection_chain_id\": {\n \"type\": \"short\"\n },\n \"netscaler_connection_id\": {\n \"type\": \"long\"\n },\n \"netscaler_current_license_consumed\": {\n \"type\": \"long\"\n },\n \"netscaler_db_clt_host_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_db_database_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_db_login_flags\": {\n \"type\": \"long\"\n },\n \"netscaler_db_protocol_name\": {\n \"type\": \"short\"\n },\n \"netscaler_db_req_string\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_db_req_type\": {\n \"type\": \"short\"\n },\n \"netscaler_db_resp_length\": {\n \"type\": \"long\"\n },\n \"netscaler_db_resp_status\": {\n \"type\": \"long\"\n },\n \"netscaler_db_resp_status_string\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_db_user_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_flow_flags\": {\n \"type\": \"long\"\n },\n \"netscaler_http_client_interaction_end_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_client_interaction_start_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_client_render_end_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_client_render_start_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_content_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_domain_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_req_authorization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_req_cookie\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_req_forw_fb\": {\n \"type\": \"long\"\n },\n \"netscaler_http_req_forw_lb\": {\n \"type\": \"long\"\n },\n \"netscaler_http_req_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_req_method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_req_rcv_fb\": {\n \"type\": \"long\"\n },\n \"netscaler_http_req_rcv_lb\": {\n \"type\": \"long\"\n },\n \"netscaler_http_req_referer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_req_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_req_user_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_req_via\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_req_xforwarded_for\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_res_forw_fb\": {\n \"type\": \"long\"\n },\n \"netscaler_http_res_forw_lb\": {\n \"type\": \"long\"\n },\n \"netscaler_http_res_location\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_res_rcv_fb\": {\n \"type\": \"long\"\n },\n \"netscaler_http_res_rcv_lb\": {\n \"type\": \"long\"\n },\n \"netscaler_http_res_set_cookie\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_res_set_cookie2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_http_rsp_len\": {\n \"type\": \"long\"\n },\n \"netscaler_http_rsp_status\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_app_module_path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_ica_app_process_id\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_application_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_ica_application_termination_time\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_application_termination_type\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_channel_id1\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_channel_id1_bytes\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_channel_id2\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_channel_id2_bytes\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_channel_id3\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_channel_id3_bytes\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_channel_id4\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_channel_id4_bytes\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_channel_id5\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_channel_id5_bytes\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_client_host_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_ica_client_ip\": {\n \"type\": \"ip\"\n },\n \"netscaler_ica_client_launcher\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_client_side_rto_count\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_client_side_window_size\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_client_type\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_clientside_delay\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_clientside_jitter\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_clientside_packets_retransmit\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_clientside_rtt\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_clientside_rx_bytes\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_clientside_srtt\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_clientside_tx_bytes\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_connection_priority\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_device_serial_no\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_domain_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_ica_flags\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_host_delay\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_l7_client_latency\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_l7_server_latency\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_launch_mechanism\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_network_update_end_time\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_network_update_start_time\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_rtt\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_server_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_ica_server_side_rto_count\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_server_side_window_size\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_serverside_delay\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_serverside_jitter\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_serverside_packets_retransmit\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_serverside_rtt\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_serverside_srtt\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_session_end_time\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_session_guid\": {\n \"type\": \"short\"\n },\n \"netscaler_ica_session_reconnects\": {\n \"type\": \"short\"\n },\n \"netscaler_ica_session_setup_time\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_session_update_begin_sec\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_session_update_end_sec\": {\n \"type\": \"long\"\n },\n \"netscaler_ica_username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_license_type\": {\n \"type\": \"short\"\n },\n \"netscaler_main_page_core_id\": {\n \"type\": \"long\"\n },\n \"netscaler_main_page_id\": {\n \"type\": \"long\"\n },\n \"netscaler_max_license_count\": {\n \"type\": \"long\"\n },\n \"netscaler_msi_client_cookie\": {\n \"type\": \"short\"\n },\n \"netscaler_round_trip_time\": {\n \"type\": \"long\"\n },\n \"netscaler_server_ttfb\": {\n \"type\": \"long\"\n },\n \"netscaler_server_ttlb\": {\n \"type\": \"long\"\n },\n \"netscaler_syslog_message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_syslog_priority\": {\n \"type\": \"short\"\n },\n \"netscaler_syslog_timestamp\": {\n \"type\": \"long\"\n },\n \"netscaler_transaction_id\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown270\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown271\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown272\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown273\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown274\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown275\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown276\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown277\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown278\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown279\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown280\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown281\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown282\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown283\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown284\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown285\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown286\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown287\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown288\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown289\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown290\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown291\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown292\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown293\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown294\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown295\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown296\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown297\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown298\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown299\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown300\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown301\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown302\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown303\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown304\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown305\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown306\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown307\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown308\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown309\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown310\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown311\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown312\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown313\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown314\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown315\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown316\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_unknown317\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown318\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown319\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_unknown320\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown321\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown322\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown323\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown324\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown325\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown326\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown327\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown328\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown329\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown330\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown331\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown332\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown333\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_unknown334\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_unknown335\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown336\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown337\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown338\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown339\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown340\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown341\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown342\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown343\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown344\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown345\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown346\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown347\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown348\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown349\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_unknown350\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_unknown351\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netscaler_unknown352\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown353\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown354\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown355\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown356\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown357\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown363\": {\n \"type\": \"short\"\n },\n \"netscaler_unknown383\": {\n \"type\": \"short\"\n },\n \"netscaler_unknown391\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown398\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown404\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown405\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown427\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown429\": {\n \"type\": \"short\"\n },\n \"netscaler_unknown432\": {\n \"type\": \"short\"\n },\n \"netscaler_unknown433\": {\n \"type\": \"short\"\n },\n \"netscaler_unknown453\": {\n \"type\": \"long\"\n },\n \"netscaler_unknown465\": {\n \"type\": \"long\"\n },\n \"new_connection_delta_count\": {\n \"type\": \"long\"\n },\n \"next_header_ipv6\": {\n \"type\": \"short\"\n },\n \"non_empty_packet_count\": {\n \"type\": \"long\"\n },\n \"not_sent_flow_total_count\": {\n \"type\": \"long\"\n },\n \"not_sent_layer2_octet_total_count\": {\n \"type\": \"long\"\n },\n \"not_sent_octet_total_count\": {\n \"type\": \"long\"\n },\n \"not_sent_packet_total_count\": {\n \"type\": \"long\"\n },\n \"observation_domain_id\": {\n \"type\": \"long\"\n },\n \"observation_domain_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"observation_point_id\": {\n \"type\": \"long\"\n },\n \"observation_point_type\": {\n \"type\": \"short\"\n },\n \"observation_time_microseconds\": {\n \"type\": \"date\"\n },\n \"observation_time_milliseconds\": {\n \"type\": \"date\"\n },\n \"observation_time_nanoseconds\": {\n \"type\": \"date\"\n },\n \"observation_time_seconds\": {\n \"type\": \"date\"\n },\n \"observed_flow_total_count\": {\n \"type\": \"long\"\n },\n \"octet_delta_count\": {\n \"type\": \"long\"\n },\n \"octet_delta_sum_of_squares\": {\n \"type\": \"long\"\n },\n \"octet_total_count\": {\n \"type\": \"long\"\n },\n \"octet_total_sum_of_squares\": {\n \"type\": \"long\"\n },\n \"opaque_octets\": {\n \"type\": \"short\"\n },\n \"original_exporter_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"original_exporter_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"original_flows_completed\": {\n \"type\": \"long\"\n },\n \"original_flows_initiated\": {\n \"type\": \"long\"\n },\n \"original_flows_present\": {\n \"type\": \"long\"\n },\n \"original_observation_domain_id\": {\n \"type\": \"long\"\n },\n \"os_finger_print\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"os_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"os_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p2p_technology\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"packet_delta_count\": {\n \"type\": \"long\"\n },\n \"packet_total_count\": {\n \"type\": \"long\"\n },\n \"padding_octets\": {\n \"type\": \"short\"\n },\n \"payload\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"payload_entropy\": {\n \"type\": \"short\"\n },\n \"payload_length_ipv6\": {\n \"type\": \"long\"\n },\n \"policy_qos_classification_hierarchy\": {\n \"type\": \"long\"\n },\n \"policy_qos_queue_index\": {\n \"type\": \"long\"\n },\n \"policy_qos_queuedrops\": {\n \"type\": \"long\"\n },\n \"policy_qos_queueindex\": {\n \"type\": \"long\"\n },\n \"port_id\": {\n \"type\": \"long\"\n },\n \"port_range_end\": {\n \"type\": \"long\"\n },\n \"port_range_num_ports\": {\n \"type\": \"long\"\n },\n \"port_range_start\": {\n \"type\": \"long\"\n },\n \"port_range_step_size\": {\n \"type\": \"long\"\n },\n \"post_destination_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"post_dot1q_customer_vlan_id\": {\n \"type\": \"long\"\n },\n \"post_dot1q_vlan_id\": {\n \"type\": \"long\"\n },\n \"post_ip_class_of_service\": {\n \"type\": \"short\"\n },\n \"post_ip_diff_serv_code_point\": {\n \"type\": \"short\"\n },\n \"post_ip_precedence\": {\n \"type\": \"short\"\n },\n \"post_layer2_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"post_layer2_octet_total_count\": {\n \"type\": \"long\"\n },\n \"post_mcast_layer2_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"post_mcast_layer2_octet_total_count\": {\n \"type\": \"long\"\n },\n \"post_mcast_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"post_mcast_octet_total_count\": {\n \"type\": \"long\"\n },\n \"post_mcast_packet_delta_count\": {\n \"type\": \"long\"\n },\n \"post_mcast_packet_total_count\": {\n \"type\": \"long\"\n },\n \"post_mpls_top_label_exp\": {\n \"type\": \"short\"\n },\n \"post_napt_destination_transport_port\": {\n \"type\": \"long\"\n },\n \"post_napt_source_transport_port\": {\n \"type\": \"long\"\n },\n \"post_nat_destination_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"post_nat_destination_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"post_nat_source_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"post_nat_source_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"post_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"post_octet_total_count\": {\n \"type\": \"long\"\n },\n \"post_packet_delta_count\": {\n \"type\": \"long\"\n },\n \"post_packet_total_count\": {\n \"type\": \"long\"\n },\n \"post_source_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"post_vlan_id\": {\n \"type\": \"long\"\n },\n \"private_enterprise_number\": {\n \"type\": \"long\"\n },\n \"procera_apn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_base_service\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_content_categories\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_device_id\": {\n \"type\": \"long\"\n },\n \"procera_external_rtt\": {\n \"type\": \"long\"\n },\n \"procera_flow_behavior\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_ggsn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_http_content_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_http_file_length\": {\n \"type\": \"long\"\n },\n \"procera_http_language\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_http_location\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_http_referer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_http_request_method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_http_request_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_http_response_status\": {\n \"type\": \"long\"\n },\n \"procera_http_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_http_user_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_imsi\": {\n \"type\": \"long\"\n },\n \"procera_incoming_octets\": {\n \"type\": \"long\"\n },\n \"procera_incoming_packets\": {\n \"type\": \"long\"\n },\n \"procera_incoming_shaping_drops\": {\n \"type\": \"long\"\n },\n \"procera_incoming_shaping_latency\": {\n \"type\": \"long\"\n },\n \"procera_internal_rtt\": {\n \"type\": \"long\"\n },\n \"procera_local_ipv4_host\": {\n \"type\": \"ip\"\n },\n \"procera_local_ipv6_host\": {\n \"type\": \"ip\"\n },\n \"procera_msisdn\": {\n \"type\": \"long\"\n },\n \"procera_outgoing_octets\": {\n \"type\": \"long\"\n },\n \"procera_outgoing_packets\": {\n \"type\": \"long\"\n },\n \"procera_outgoing_shaping_drops\": {\n \"type\": \"long\"\n },\n \"procera_outgoing_shaping_latency\": {\n \"type\": \"long\"\n },\n \"procera_property\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_qoe_incoming_external\": {\n \"type\": \"float\"\n },\n \"procera_qoe_incoming_internal\": {\n \"type\": \"float\"\n },\n \"procera_qoe_outgoing_external\": {\n \"type\": \"float\"\n },\n \"procera_qoe_outgoing_internal\": {\n \"type\": \"float\"\n },\n \"procera_rat\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_remote_ipv4_host\": {\n \"type\": \"ip\"\n },\n \"procera_remote_ipv6_host\": {\n \"type\": \"ip\"\n },\n \"procera_rnc\": {\n \"type\": \"long\"\n },\n \"procera_server_hostname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_service\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_sgsn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_subscriber_identifier\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_template_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"procera_user_location_information\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protocol_identifier\": {\n \"type\": \"short\"\n },\n \"pseudo_wire_control_word\": {\n \"type\": \"long\"\n },\n \"pseudo_wire_destination_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"pseudo_wire_id\": {\n \"type\": \"long\"\n },\n \"pseudo_wire_type\": {\n \"type\": \"long\"\n },\n \"reason\": {\n \"type\": \"long\"\n },\n \"reason_text\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"relative_error\": {\n \"type\": \"double\"\n },\n \"responder_octets\": {\n \"type\": \"long\"\n },\n \"responder_packets\": {\n \"type\": \"long\"\n },\n \"reverse_absolute_error\": {\n \"type\": \"double\"\n },\n \"reverse_anonymization_flags\": {\n \"type\": \"long\"\n },\n \"reverse_anonymization_technique\": {\n \"type\": \"long\"\n },\n \"reverse_application_category_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_application_description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_application_group_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_application_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_application_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_application_sub_category_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_average_interarrival_time\": {\n \"type\": \"long\"\n },\n \"reverse_bgp_destination_as_number\": {\n \"type\": \"long\"\n },\n \"reverse_bgp_next_adjacent_as_number\": {\n \"type\": \"long\"\n },\n \"reverse_bgp_next_hop_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"reverse_bgp_next_hop_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"reverse_bgp_prev_adjacent_as_number\": {\n \"type\": \"long\"\n },\n \"reverse_bgp_source_as_number\": {\n \"type\": \"long\"\n },\n \"reverse_bgp_validity_state\": {\n \"type\": \"short\"\n },\n \"reverse_class_id\": {\n \"type\": \"short\"\n },\n \"reverse_class_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_classification_engine_id\": {\n \"type\": \"short\"\n },\n \"reverse_collection_time_milliseconds\": {\n \"type\": \"long\"\n },\n \"reverse_collector_certificate\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_confidence_level\": {\n \"type\": \"double\"\n },\n \"reverse_connection_sum_duration_seconds\": {\n \"type\": \"long\"\n },\n \"reverse_connection_transaction_id\": {\n \"type\": \"long\"\n },\n \"reverse_data_byte_count\": {\n \"type\": \"long\"\n },\n \"reverse_data_link_frame_section\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_data_link_frame_size\": {\n \"type\": \"long\"\n },\n \"reverse_data_link_frame_type\": {\n \"type\": \"long\"\n },\n \"reverse_data_records_reliability\": {\n \"type\": \"short\"\n },\n \"reverse_delta_flow_count\": {\n \"type\": \"long\"\n },\n \"reverse_destination_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"reverse_destination_ipv4_prefix\": {\n \"type\": \"ip\"\n },\n \"reverse_destination_ipv4_prefix_length\": {\n \"type\": \"short\"\n },\n \"reverse_destination_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"reverse_destination_ipv6_prefix\": {\n \"type\": \"ip\"\n },\n \"reverse_destination_ipv6_prefix_length\": {\n \"type\": \"short\"\n },\n \"reverse_destination_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_destination_transport_port\": {\n \"type\": \"long\"\n },\n \"reverse_digest_hash_value\": {\n \"type\": \"long\"\n },\n \"reverse_distinct_count_of_destination_ip_address\": {\n \"type\": \"long\"\n },\n \"reverse_distinct_count_of_destination_ipv4_address\": {\n \"type\": \"long\"\n },\n \"reverse_distinct_count_of_destination_ipv6_address\": {\n \"type\": \"long\"\n },\n \"reverse_distinct_count_of_source_ip_address\": {\n \"type\": \"long\"\n },\n \"reverse_distinct_count_of_source_ipv4_address\": {\n \"type\": \"long\"\n },\n \"reverse_distinct_count_of_source_ipv6_address\": {\n \"type\": \"long\"\n },\n \"reverse_dot1q_customer_dei\": {\n \"type\": \"short\"\n },\n \"reverse_dot1q_customer_destination_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_dot1q_customer_priority\": {\n \"type\": \"short\"\n },\n \"reverse_dot1q_customer_source_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_dot1q_customer_vlan_id\": {\n \"type\": \"long\"\n },\n \"reverse_dot1q_dei\": {\n \"type\": \"short\"\n },\n \"reverse_dot1q_priority\": {\n \"type\": \"short\"\n },\n \"reverse_dot1q_service_instance_id\": {\n \"type\": \"long\"\n },\n \"reverse_dot1q_service_instance_priority\": {\n \"type\": \"short\"\n },\n \"reverse_dot1q_service_instance_tag\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_dot1q_vlan_id\": {\n \"type\": \"long\"\n },\n \"reverse_dropped_layer2_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_dropped_layer2_octet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_dropped_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_dropped_octet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_dropped_packet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_dropped_packet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_dst_traffic_index\": {\n \"type\": \"long\"\n },\n \"reverse_egress_broadcast_packet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_egress_interface\": {\n \"type\": \"long\"\n },\n \"reverse_egress_interface_type\": {\n \"type\": \"long\"\n },\n \"reverse_egress_physical_interface\": {\n \"type\": \"long\"\n },\n \"reverse_egress_unicast_packet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_egress_vrfid\": {\n \"type\": \"long\"\n },\n \"reverse_encrypted_technology\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_engine_id\": {\n \"type\": \"short\"\n },\n \"reverse_engine_type\": {\n \"type\": \"short\"\n },\n \"reverse_ethernet_header_length\": {\n \"type\": \"short\"\n },\n \"reverse_ethernet_payload_length\": {\n \"type\": \"long\"\n },\n \"reverse_ethernet_total_length\": {\n \"type\": \"long\"\n },\n \"reverse_ethernet_type\": {\n \"type\": \"long\"\n },\n \"reverse_export_sctp_stream_id\": {\n \"type\": \"long\"\n },\n \"reverse_exporter_certificate\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_exporting_process_id\": {\n \"type\": \"long\"\n },\n \"reverse_firewall_event\": {\n \"type\": \"short\"\n },\n \"reverse_first_non_empty_packet_size\": {\n \"type\": \"long\"\n },\n \"reverse_first_packet_banner\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_flags_and_sampler_id\": {\n \"type\": \"long\"\n },\n \"reverse_flow_active_timeout\": {\n \"type\": \"long\"\n },\n \"reverse_flow_attributes\": {\n \"type\": \"long\"\n },\n \"reverse_flow_delta_milliseconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_direction\": {\n \"type\": \"short\"\n },\n \"reverse_flow_duration_microseconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_duration_milliseconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_end_delta_microseconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_end_microseconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_end_milliseconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_end_nanoseconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_end_reason\": {\n \"type\": \"short\"\n },\n \"reverse_flow_end_seconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_end_sys_up_time\": {\n \"type\": \"long\"\n },\n \"reverse_flow_idle_timeout\": {\n \"type\": \"long\"\n },\n \"reverse_flow_label_ipv6\": {\n \"type\": \"long\"\n },\n \"reverse_flow_sampling_time_interval\": {\n \"type\": \"long\"\n },\n \"reverse_flow_sampling_time_spacing\": {\n \"type\": \"long\"\n },\n \"reverse_flow_selected_flow_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_flow_selected_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_flow_selected_packet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_flow_selector_algorithm\": {\n \"type\": \"long\"\n },\n \"reverse_flow_start_delta_microseconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_start_microseconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_start_milliseconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_start_nanoseconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_start_seconds\": {\n \"type\": \"long\"\n },\n \"reverse_flow_start_sys_up_time\": {\n \"type\": \"long\"\n },\n \"reverse_forwarding_status\": {\n \"type\": \"long\"\n },\n \"reverse_fragment_flags\": {\n \"type\": \"short\"\n },\n \"reverse_fragment_identification\": {\n \"type\": \"long\"\n },\n \"reverse_fragment_offset\": {\n \"type\": \"long\"\n },\n \"reverse_gre_key\": {\n \"type\": \"long\"\n },\n \"reverse_hash_digest_output\": {\n \"type\": \"short\"\n },\n \"reverse_hash_flow_domain\": {\n \"type\": \"long\"\n },\n \"reverse_hash_initialiser_value\": {\n \"type\": \"long\"\n },\n \"reverse_hash_ip_payload_offset\": {\n \"type\": \"long\"\n },\n \"reverse_hash_ip_payload_size\": {\n \"type\": \"long\"\n },\n \"reverse_hash_output_range_max\": {\n \"type\": \"long\"\n },\n \"reverse_hash_output_range_min\": {\n \"type\": \"long\"\n },\n \"reverse_hash_selected_range_max\": {\n \"type\": \"long\"\n },\n \"reverse_hash_selected_range_min\": {\n \"type\": \"long\"\n },\n \"reverse_icmp_code_ipv4\": {\n \"type\": \"short\"\n },\n \"reverse_icmp_code_ipv6\": {\n \"type\": \"short\"\n },\n \"reverse_icmp_type_code_ipv4\": {\n \"type\": \"long\"\n },\n \"reverse_icmp_type_code_ipv6\": {\n \"type\": \"long\"\n },\n \"reverse_icmp_type_ipv4\": {\n \"type\": \"short\"\n },\n \"reverse_icmp_type_ipv6\": {\n \"type\": \"short\"\n },\n \"reverse_igmp_type\": {\n \"type\": \"short\"\n },\n \"reverse_ignored_data_record_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_ignored_layer2_frame_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_ignored_layer2_octet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_information_element_data_type\": {\n \"type\": \"short\"\n },\n \"reverse_information_element_description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_information_element_id\": {\n \"type\": \"long\"\n },\n \"reverse_information_element_index\": {\n \"type\": \"long\"\n },\n \"reverse_information_element_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_information_element_range_begin\": {\n \"type\": \"long\"\n },\n \"reverse_information_element_range_end\": {\n \"type\": \"long\"\n },\n \"reverse_information_element_semantics\": {\n \"type\": \"short\"\n },\n \"reverse_information_element_units\": {\n \"type\": \"long\"\n },\n \"reverse_ingress_broadcast_packet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_ingress_interface\": {\n \"type\": \"long\"\n },\n \"reverse_ingress_interface_type\": {\n \"type\": \"long\"\n },\n \"reverse_ingress_multicast_packet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_ingress_physical_interface\": {\n \"type\": \"long\"\n },\n \"reverse_ingress_unicast_packet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_ingress_vrfid\": {\n \"type\": \"long\"\n },\n \"reverse_initial_tcp_flags\": {\n \"type\": \"short\"\n },\n \"reverse_initiator_octets\": {\n \"type\": \"long\"\n },\n \"reverse_initiator_packets\": {\n \"type\": \"long\"\n },\n \"reverse_interface_description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_interface_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_intermediate_process_id\": {\n \"type\": \"long\"\n },\n \"reverse_ip_class_of_service\": {\n \"type\": \"short\"\n },\n \"reverse_ip_diff_serv_code_point\": {\n \"type\": \"short\"\n },\n \"reverse_ip_header_length\": {\n \"type\": \"short\"\n },\n \"reverse_ip_header_packet_section\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_ip_next_hop_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"reverse_ip_next_hop_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"reverse_ip_payload_length\": {\n \"type\": \"long\"\n },\n \"reverse_ip_payload_packet_section\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_ip_precedence\": {\n \"type\": \"short\"\n },\n \"reverse_ip_sec_spi\": {\n \"type\": \"long\"\n },\n \"reverse_ip_total_length\": {\n \"type\": \"long\"\n },\n \"reverse_ip_ttl\": {\n \"type\": \"short\"\n },\n \"reverse_ip_version\": {\n \"type\": \"short\"\n },\n \"reverse_ipv4_ihl\": {\n \"type\": \"short\"\n },\n \"reverse_ipv4_options\": {\n \"type\": \"long\"\n },\n \"reverse_ipv4_router_sc\": {\n \"type\": \"ip\"\n },\n \"reverse_ipv6_extension_headers\": {\n \"type\": \"long\"\n },\n \"reverse_is_multicast\": {\n \"type\": \"short\"\n },\n \"reverse_large_packet_count\": {\n \"type\": \"long\"\n },\n \"reverse_layer2_frame_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_layer2_frame_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_layer2_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_layer2_octet_delta_sum_of_squares\": {\n \"type\": \"long\"\n },\n \"reverse_layer2_octet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_layer2_octet_total_sum_of_squares\": {\n \"type\": \"long\"\n },\n \"reverse_layer2_segment_id\": {\n \"type\": \"long\"\n },\n \"reverse_layer2packet_section_data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_layer2packet_section_offset\": {\n \"type\": \"long\"\n },\n \"reverse_layer2packet_section_size\": {\n \"type\": \"long\"\n },\n \"reverse_line_card_id\": {\n \"type\": \"long\"\n },\n \"reverse_lower_ci_limit\": {\n \"type\": \"double\"\n },\n \"reverse_max_export_seconds\": {\n \"type\": \"long\"\n },\n \"reverse_max_flow_end_microseconds\": {\n \"type\": \"long\"\n },\n \"reverse_max_flow_end_milliseconds\": {\n \"type\": \"long\"\n },\n \"reverse_max_flow_end_nanoseconds\": {\n \"type\": \"long\"\n },\n \"reverse_max_flow_end_seconds\": {\n \"type\": \"long\"\n },\n \"reverse_max_packet_size\": {\n \"type\": \"long\"\n },\n \"reverse_maximum_ip_total_length\": {\n \"type\": \"long\"\n },\n \"reverse_maximum_layer2_total_length\": {\n \"type\": \"long\"\n },\n \"reverse_maximum_ttl\": {\n \"type\": \"short\"\n },\n \"reverse_message_md5_checksum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_message_scope\": {\n \"type\": \"short\"\n },\n \"reverse_metering_process_id\": {\n \"type\": \"long\"\n },\n \"reverse_metro_evc_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_metro_evc_type\": {\n \"type\": \"short\"\n },\n \"reverse_min_export_seconds\": {\n \"type\": \"long\"\n },\n \"reverse_min_flow_start_microseconds\": {\n \"type\": \"long\"\n },\n \"reverse_min_flow_start_milliseconds\": {\n \"type\": \"long\"\n },\n \"reverse_min_flow_start_nanoseconds\": {\n \"type\": \"long\"\n },\n \"reverse_min_flow_start_seconds\": {\n \"type\": \"long\"\n },\n \"reverse_minimum_ip_total_length\": {\n \"type\": \"long\"\n },\n \"reverse_minimum_layer2_total_length\": {\n \"type\": \"long\"\n },\n \"reverse_minimum_ttl\": {\n \"type\": \"short\"\n },\n \"reverse_monitoring_interval_end_milli_seconds\": {\n \"type\": \"long\"\n },\n \"reverse_monitoring_interval_start_milli_seconds\": {\n \"type\": \"long\"\n },\n \"reverse_mpls_label_stack_depth\": {\n \"type\": \"long\"\n },\n \"reverse_mpls_label_stack_length\": {\n \"type\": \"long\"\n },\n \"reverse_mpls_label_stack_section\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_mpls_label_stack_section10\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_mpls_label_stack_section2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_mpls_label_stack_section3\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_mpls_label_stack_section4\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_mpls_label_stack_section5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_mpls_label_stack_section6\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_mpls_label_stack_section7\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_mpls_label_stack_section8\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_mpls_label_stack_section9\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_mpls_payload_length\": {\n \"type\": \"long\"\n },\n \"reverse_mpls_payload_packet_section\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_mpls_top_label_exp\": {\n \"type\": \"short\"\n },\n \"reverse_mpls_top_label_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"reverse_mpls_top_label_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"reverse_mpls_top_label_prefix_length\": {\n \"type\": \"short\"\n },\n \"reverse_mpls_top_label_stack_section\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_mpls_top_label_ttl\": {\n \"type\": \"short\"\n },\n \"reverse_mpls_top_label_type\": {\n \"type\": \"short\"\n },\n \"reverse_mpls_vpn_route_distinguisher\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_multicast_replication_factor\": {\n \"type\": \"long\"\n },\n \"reverse_nat_event\": {\n \"type\": \"short\"\n },\n \"reverse_nat_originating_address_realm\": {\n \"type\": \"short\"\n },\n \"reverse_nat_pool_id\": {\n \"type\": \"long\"\n },\n \"reverse_nat_pool_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_nat_type\": {\n \"type\": \"short\"\n },\n \"reverse_new_connection_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_next_header_ipv6\": {\n \"type\": \"short\"\n },\n \"reverse_non_empty_packet_count\": {\n \"type\": \"long\"\n },\n \"reverse_not_sent_layer2_octet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_observation_domain_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_observation_point_id\": {\n \"type\": \"long\"\n },\n \"reverse_observation_point_type\": {\n \"type\": \"short\"\n },\n \"reverse_observation_time_microseconds\": {\n \"type\": \"long\"\n },\n \"reverse_observation_time_milliseconds\": {\n \"type\": \"long\"\n },\n \"reverse_observation_time_nanoseconds\": {\n \"type\": \"long\"\n },\n \"reverse_observation_time_seconds\": {\n \"type\": \"long\"\n },\n \"reverse_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_octet_delta_sum_of_squares\": {\n \"type\": \"long\"\n },\n \"reverse_octet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_octet_total_sum_of_squares\": {\n \"type\": \"long\"\n },\n \"reverse_opaque_octets\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_original_exporter_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"reverse_original_exporter_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"reverse_original_flows_completed\": {\n \"type\": \"long\"\n },\n \"reverse_original_flows_initiated\": {\n \"type\": \"long\"\n },\n \"reverse_original_flows_present\": {\n \"type\": \"long\"\n },\n \"reverse_original_observation_domain_id\": {\n \"type\": \"long\"\n },\n \"reverse_os_finger_print\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_os_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_os_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_p2p_technology\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_packet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_packet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_payload\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_payload_entropy\": {\n \"type\": \"short\"\n },\n \"reverse_payload_length_ipv6\": {\n \"type\": \"long\"\n },\n \"reverse_port_id\": {\n \"type\": \"long\"\n },\n \"reverse_port_range_end\": {\n \"type\": \"long\"\n },\n \"reverse_port_range_num_ports\": {\n \"type\": \"long\"\n },\n \"reverse_port_range_start\": {\n \"type\": \"long\"\n },\n \"reverse_port_range_step_size\": {\n \"type\": \"long\"\n },\n \"reverse_post_destination_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_post_dot1q_customer_vlan_id\": {\n \"type\": \"long\"\n },\n \"reverse_post_dot1q_vlan_id\": {\n \"type\": \"long\"\n },\n \"reverse_post_ip_class_of_service\": {\n \"type\": \"short\"\n },\n \"reverse_post_ip_diff_serv_code_point\": {\n \"type\": \"short\"\n },\n \"reverse_post_ip_precedence\": {\n \"type\": \"short\"\n },\n \"reverse_post_layer2_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_post_layer2_octet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_post_mcast_layer2_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_post_mcast_layer2_octet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_post_mcast_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_post_mcast_octet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_post_mcast_packet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_post_mcast_packet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_post_mpls_top_label_exp\": {\n \"type\": \"short\"\n },\n \"reverse_post_napt_destination_transport_port\": {\n \"type\": \"long\"\n },\n \"reverse_post_napt_source_transport_port\": {\n \"type\": \"long\"\n },\n \"reverse_post_nat_destination_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"reverse_post_nat_destination_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"reverse_post_nat_source_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"reverse_post_nat_source_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"reverse_post_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_post_octet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_post_packet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_post_packet_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_post_source_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_post_vlan_id\": {\n \"type\": \"long\"\n },\n \"reverse_private_enterprise_number\": {\n \"type\": \"long\"\n },\n \"reverse_protocol_identifier\": {\n \"type\": \"short\"\n },\n \"reverse_pseudo_wire_control_word\": {\n \"type\": \"long\"\n },\n \"reverse_pseudo_wire_destination_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"reverse_pseudo_wire_id\": {\n \"type\": \"long\"\n },\n \"reverse_pseudo_wire_type\": {\n \"type\": \"long\"\n },\n \"reverse_relative_error\": {\n \"type\": \"double\"\n },\n \"reverse_responder_octets\": {\n \"type\": \"long\"\n },\n \"reverse_responder_packets\": {\n \"type\": \"long\"\n },\n \"reverse_rfc3550_jitter_microseconds\": {\n \"type\": \"long\"\n },\n \"reverse_rfc3550_jitter_milliseconds\": {\n \"type\": \"long\"\n },\n \"reverse_rfc3550_jitter_nanoseconds\": {\n \"type\": \"long\"\n },\n \"reverse_rtp_payload_type\": {\n \"type\": \"short\"\n },\n \"reverse_rtp_sequence_number\": {\n \"type\": \"long\"\n },\n \"reverse_sampler_id\": {\n \"type\": \"short\"\n },\n \"reverse_sampler_mode\": {\n \"type\": \"short\"\n },\n \"reverse_sampler_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_sampler_random_interval\": {\n \"type\": \"long\"\n },\n \"reverse_sampling_algorithm\": {\n \"type\": \"short\"\n },\n \"reverse_sampling_flow_interval\": {\n \"type\": \"long\"\n },\n \"reverse_sampling_flow_spacing\": {\n \"type\": \"long\"\n },\n \"reverse_sampling_interval\": {\n \"type\": \"long\"\n },\n \"reverse_sampling_packet_interval\": {\n \"type\": \"long\"\n },\n \"reverse_sampling_packet_space\": {\n \"type\": \"long\"\n },\n \"reverse_sampling_population\": {\n \"type\": \"long\"\n },\n \"reverse_sampling_probability\": {\n \"type\": \"double\"\n },\n \"reverse_sampling_size\": {\n \"type\": \"long\"\n },\n \"reverse_sampling_time_interval\": {\n \"type\": \"long\"\n },\n \"reverse_sampling_time_space\": {\n \"type\": \"long\"\n },\n \"reverse_second_packet_banner\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_section_exported_octets\": {\n \"type\": \"long\"\n },\n \"reverse_section_offset\": {\n \"type\": \"long\"\n },\n \"reverse_selection_sequence_id\": {\n \"type\": \"long\"\n },\n \"reverse_selector_algorithm\": {\n \"type\": \"long\"\n },\n \"reverse_selector_id\": {\n \"type\": \"long\"\n },\n \"reverse_selector_id_total_flows_observed\": {\n \"type\": \"long\"\n },\n \"reverse_selector_id_total_flows_selected\": {\n \"type\": \"long\"\n },\n \"reverse_selector_id_total_pkts_observed\": {\n \"type\": \"long\"\n },\n \"reverse_selector_id_total_pkts_selected\": {\n \"type\": \"long\"\n },\n \"reverse_selector_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_session_scope\": {\n \"type\": \"short\"\n },\n \"reverse_small_packet_count\": {\n \"type\": \"long\"\n },\n \"reverse_source_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"reverse_source_ipv4_prefix\": {\n \"type\": \"ip\"\n },\n \"reverse_source_ipv4_prefix_length\": {\n \"type\": \"short\"\n },\n \"reverse_source_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"reverse_source_ipv6_prefix\": {\n \"type\": \"ip\"\n },\n \"reverse_source_ipv6_prefix_length\": {\n \"type\": \"short\"\n },\n \"reverse_source_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_source_transport_port\": {\n \"type\": \"long\"\n },\n \"reverse_src_traffic_index\": {\n \"type\": \"long\"\n },\n \"reverse_sta_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"reverse_sta_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_standard_deviation_interarrival_time\": {\n \"type\": \"long\"\n },\n \"reverse_standard_deviation_payload_length\": {\n \"type\": \"long\"\n },\n \"reverse_system_init_time_milliseconds\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_ack_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_acknowledgement_number\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_control_bits\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_destination_port\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_fin_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_header_length\": {\n \"type\": \"short\"\n },\n \"reverse_tcp_options\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_psh_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_rst_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_sequence_number\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_source_port\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_syn_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_urg_total_count\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_urgent_pointer\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_window_scale\": {\n \"type\": \"long\"\n },\n \"reverse_tcp_window_size\": {\n \"type\": \"long\"\n },\n \"reverse_total_length_ipv4\": {\n \"type\": \"long\"\n },\n \"reverse_transport_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_transport_packet_delta_count\": {\n \"type\": \"long\"\n },\n \"reverse_tunnel_technology\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_udp_destination_port\": {\n \"type\": \"long\"\n },\n \"reverse_udp_message_length\": {\n \"type\": \"long\"\n },\n \"reverse_udp_source_port\": {\n \"type\": \"long\"\n },\n \"reverse_union_tcp_flags\": {\n \"type\": \"short\"\n },\n \"reverse_upper_ci_limit\": {\n \"type\": \"double\"\n },\n \"reverse_user_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_value_distribution_method\": {\n \"type\": \"short\"\n },\n \"reverse_virtual_station_interface_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_virtual_station_interface_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_virtual_station_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_virtual_station_uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_vlan_id\": {\n \"type\": \"long\"\n },\n \"reverse_vr_fname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_wlan_channel_id\": {\n \"type\": \"short\"\n },\n \"reverse_wlan_ssid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reverse_wtp_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rfc3550_jitter_microseconds\": {\n \"type\": \"long\"\n },\n \"rfc3550_jitter_milliseconds\": {\n \"type\": \"long\"\n },\n \"rfc3550_jitter_nanoseconds\": {\n \"type\": \"long\"\n },\n \"rtp_payload_type\": {\n \"type\": \"short\"\n },\n \"rtp_sequence_number\": {\n \"type\": \"long\"\n },\n \"sampler_id\": {\n \"type\": \"short\"\n },\n \"sampler_mode\": {\n \"type\": \"short\"\n },\n \"sampler_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sampler_random_interval\": {\n \"type\": \"long\"\n },\n \"sampling_algorithm\": {\n \"type\": \"short\"\n },\n \"sampling_flow_interval\": {\n \"type\": \"long\"\n },\n \"sampling_flow_spacing\": {\n \"type\": \"long\"\n },\n \"sampling_interval\": {\n \"type\": \"long\"\n },\n \"sampling_packet_interval\": {\n \"type\": \"long\"\n },\n \"sampling_packet_space\": {\n \"type\": \"long\"\n },\n \"sampling_population\": {\n \"type\": \"long\"\n },\n \"sampling_probability\": {\n \"type\": \"double\"\n },\n \"sampling_size\": {\n \"type\": \"long\"\n },\n \"sampling_time_interval\": {\n \"type\": \"long\"\n },\n \"sampling_time_space\": {\n \"type\": \"long\"\n },\n \"second_packet_banner\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"section_exported_octets\": {\n \"type\": \"long\"\n },\n \"section_offset\": {\n \"type\": \"long\"\n },\n \"selection_sequence_id\": {\n \"type\": \"long\"\n },\n \"selector_algorithm\": {\n \"type\": \"long\"\n },\n \"selector_id\": {\n \"type\": \"long\"\n },\n \"selector_id_total_flows_observed\": {\n \"type\": \"long\"\n },\n \"selector_id_total_flows_selected\": {\n \"type\": \"long\"\n },\n \"selector_id_total_pkts_observed\": {\n \"type\": \"long\"\n },\n \"selector_id_total_pkts_selected\": {\n \"type\": \"long\"\n },\n \"selector_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_scope\": {\n \"type\": \"short\"\n },\n \"silk_app_label\": {\n \"type\": \"long\"\n },\n \"small_packet_count\": {\n \"type\": \"long\"\n },\n \"source_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"source_ipv4_prefix\": {\n \"type\": \"ip\"\n },\n \"source_ipv4_prefix_length\": {\n \"type\": \"short\"\n },\n \"source_ipv6_address\": {\n \"type\": \"ip\"\n },\n \"source_ipv6_prefix\": {\n \"type\": \"ip\"\n },\n \"source_ipv6_prefix_length\": {\n \"type\": \"short\"\n },\n \"source_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_transport_port\": {\n \"type\": \"long\"\n },\n \"source_transport_ports_limit\": {\n \"type\": \"long\"\n },\n \"src_traffic_index\": {\n \"type\": \"long\"\n },\n \"ssl_cert_serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_cert_signature\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_cert_validity_not_after\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_cert_validity_not_before\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_cert_version\": {\n \"type\": \"short\"\n },\n \"ssl_certificate_hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_cipher\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_client_version\": {\n \"type\": \"short\"\n },\n \"ssl_compression_method\": {\n \"type\": \"short\"\n },\n \"ssl_object_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_object_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_public_key_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_public_key_length\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_server_cipher\": {\n \"type\": \"long\"\n },\n \"ssl_server_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sta_ipv4_address\": {\n \"type\": \"ip\"\n },\n \"sta_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"standard_deviation_interarrival_time\": {\n \"type\": \"long\"\n },\n \"standard_deviation_payload_length\": {\n \"type\": \"short\"\n },\n \"system_init_time_milliseconds\": {\n \"type\": \"date\"\n },\n \"tcp_ack_total_count\": {\n \"type\": \"long\"\n },\n \"tcp_acknowledgement_number\": {\n \"type\": \"long\"\n },\n \"tcp_control_bits\": {\n \"type\": \"long\"\n },\n \"tcp_destination_port\": {\n \"type\": \"long\"\n },\n \"tcp_fin_total_count\": {\n \"type\": \"long\"\n },\n \"tcp_header_length\": {\n \"type\": \"short\"\n },\n \"tcp_options\": {\n \"type\": \"long\"\n },\n \"tcp_psh_total_count\": {\n \"type\": \"long\"\n },\n \"tcp_rst_total_count\": {\n \"type\": \"long\"\n },\n \"tcp_sequence_number\": {\n \"type\": \"long\"\n },\n \"tcp_source_port\": {\n \"type\": \"long\"\n },\n \"tcp_syn_total_count\": {\n \"type\": \"long\"\n },\n \"tcp_urg_total_count\": {\n \"type\": \"long\"\n },\n \"tcp_urgent_pointer\": {\n \"type\": \"long\"\n },\n \"tcp_window_scale\": {\n \"type\": \"long\"\n },\n \"tcp_window_size\": {\n \"type\": \"long\"\n },\n \"template_id\": {\n \"type\": \"long\"\n },\n \"tftp_filename\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tftp_mode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"type\": \"long\"\n },\n \"timestamp_absolute_monitoring-interval\": {\n \"type\": \"long\"\n },\n \"total_length_ipv4\": {\n \"type\": \"long\"\n },\n \"traffic_type\": {\n \"type\": \"short\"\n },\n \"transport_octet_delta_count\": {\n \"type\": \"long\"\n },\n \"transport_packet_delta_count\": {\n \"type\": \"long\"\n },\n \"tunnel_technology\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"udp_destination_port\": {\n \"type\": \"long\"\n },\n \"udp_message_length\": {\n \"type\": \"long\"\n },\n \"udp_source_port\": {\n \"type\": \"long\"\n },\n \"union_tcp_flags\": {\n \"type\": \"short\"\n },\n \"upper_ci_limit\": {\n \"type\": \"double\"\n },\n \"user_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"value_distribution_method\": {\n \"type\": \"short\"\n },\n \"viptela_vpn_id\": {\n \"type\": \"long\"\n },\n \"virtual_station_interface_id\": {\n \"type\": \"short\"\n },\n \"virtual_station_interface_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virtual_station_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virtual_station_uuid\": {\n \"type\": \"short\"\n },\n \"vlan_id\": {\n \"type\": \"long\"\n },\n \"vmware_egress_interface_attr\": {\n \"type\": \"long\"\n },\n \"vmware_ingress_interface_attr\": {\n \"type\": \"long\"\n },\n \"vmware_tenant_dest_ipv4\": {\n \"type\": \"ip\"\n },\n \"vmware_tenant_dest_ipv6\": {\n \"type\": \"ip\"\n },\n \"vmware_tenant_dest_port\": {\n \"type\": \"long\"\n },\n \"vmware_tenant_protocol\": {\n \"type\": \"short\"\n },\n \"vmware_tenant_source_ipv4\": {\n \"type\": \"ip\"\n },\n \"vmware_tenant_source_ipv6\": {\n \"type\": \"ip\"\n },\n \"vmware_tenant_source_port\": {\n \"type\": \"long\"\n },\n \"vmware_vxlan_export_role\": {\n \"type\": \"short\"\n },\n \"vpn_identifier\": {\n \"type\": \"short\"\n },\n \"vr_fname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"waasoptimization_segment\": {\n \"type\": \"short\"\n },\n \"wlan_channel_id\": {\n \"type\": \"short\"\n },\n \"wlan_ssid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"wtp_mac_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"xlate_destination_address_ip_v4\": {\n \"type\": \"ip\"\n },\n \"xlate_destination_port\": {\n \"type\": \"long\"\n },\n \"xlate_source_address_ip_v4\": {\n \"type\": \"ip\"\n },\n \"xlate_source_port\": {\n \"type\": \"long\"\n }\n }\n },\n \"network\": {\n \"type\": \"object\",\n \"properties\": {\n \"application\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"bytes\": {\n \"type\": \"long\"\n },\n \"community_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"direction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"forwarded_ip\": {\n \"type\": \"ip\"\n },\n \"iana_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"inner\": {\n \"type\": \"object\",\n \"properties\": {\n \"vlan\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"interface\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"packets\": {\n \"type\": \"long\"\n },\n \"protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"transport\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vlan\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"nginx\": {\n \"type\": \"object\",\n \"properties\": {\n \"error\": {\n \"type\": \"object\",\n \"properties\": {\n \"connection_id\": {\n \"type\": \"long\"\n }\n }\n },\n \"ingress_controller\": {\n \"type\": \"object\",\n \"properties\": {\n \"http\": {\n \"type\": \"object\",\n \"properties\": {\n \"request\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"length\": {\n \"type\": \"long\"\n },\n \"time\": {\n \"type\": \"double\"\n }\n }\n }\n }\n },\n \"upstream\": {\n \"type\": \"object\",\n \"properties\": {\n \"alternative_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"port\": {\n \"type\": \"long\"\n },\n \"response\": {\n \"type\": \"object\",\n \"properties\": {\n \"length\": {\n \"type\": \"long\"\n },\n \"length_list\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status_code\": {\n \"type\": \"long\"\n },\n \"status_code_list\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"time\": {\n \"type\": \"double\"\n },\n \"time_list\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"upstream_address_list\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"o365\": {\n \"type\": \"object\",\n \"properties\": {\n \"audit\": {\n \"type\": \"object\",\n \"properties\": {\n \"AADGroupId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ActorContextId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ActorIpAddress\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ActorUserId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ActorYammerUserId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"AlertEntityId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"AlertId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"AlertType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"AppId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ApplicationDisplayName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ApplicationId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"AzureActiveDirectoryEventType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ClientAppId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ClientIP\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ClientIPAddress\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ClientInfoString\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Comments\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"CommunicationType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"CorrelationId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"CreationTime\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"CustomUniqueId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"DataType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"DoNotDistributeEvent\": {\n \"type\": \"boolean\"\n },\n \"EntityType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ErrorNumber\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"EventData\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"EventSource\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ExceptionInfo\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\"\n }\n }\n },\n \"ExchangeMetaData\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\"\n }\n }\n },\n \"ExtendedProperties\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\"\n }\n }\n },\n \"ExternalAccess\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"FromApp\": {\n \"type\": \"boolean\"\n },\n \"GroupName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ImplicitShare\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"IncidentId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"InterSystemsId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"InternalLogonType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"IntraSystemId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"IsDocLib\": {\n \"type\": \"boolean\"\n },\n \"Item\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\"\n }\n }\n }\n }\n },\n \"ItemCount\": {\n \"type\": \"long\"\n },\n \"ItemName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ItemType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ListBaseTemplateType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ListBaseType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ListColor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ListIcon\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ListId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ListItemUniqueId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ListTitle\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"LogonError\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"LogonType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"LogonUserSid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"MailboxGuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"MailboxOwnerMasterAccountSid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"MailboxOwnerSid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"MailboxOwnerUPN\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Members\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\"\n }\n }\n },\n \"ModifiedProperties\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\"\n }\n }\n }\n }\n },\n \"Name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ObjectId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Operation\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"OrganizationId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"OrganizationName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"OriginatingServer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Parameters\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\"\n }\n }\n },\n \"PolicyId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"RecordType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ResultStatus\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"SensitiveInfoDetectionIsIncluded\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"SessionId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"SharePointMetaData\": {\n \"type\": \"object\",\n \"properties\": {\n \"*\": {\n \"type\": \"object\"\n }\n }\n },\n \"Site\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"SiteUrl\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"SourceFileExtension\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"SourceFileName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"SourceRelativeUrl\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"SupportTicketId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"TargetContextId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"TargetUserOrGroupName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"TargetUserOrGroupType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"TeamGuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"TeamName\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"TemplateTypeId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"UniqueSharingId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"UserAgent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"UserId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"UserKey\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"UserType\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"WebId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"Workload\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"YammerNetworkId\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"object\": {\n \"type\": \"object\",\n \"properties\": {\n \"key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"observer\": {\n \"type\": \"object\",\n \"properties\": {\n \"egress\": {\n \"type\": \"object\",\n \"properties\": {\n \"interface\": {\n \"type\": \"object\",\n \"properties\": {\n \"alias\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"vlan\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"geo\": {\n \"type\": \"object\",\n \"properties\": {\n \"city_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"location\": {\n \"type\": \"geo_point\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"postal_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hostname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ingress\": {\n \"type\": \"object\",\n \"properties\": {\n \"interface\": {\n \"type\": \"object\",\n \"properties\": {\n \"alias\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"vlan\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"mac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"os\": {\n \"type\": \"object\",\n \"properties\": {\n \"family\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"kernel\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"platform\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vendor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"okta\": {\n \"type\": \"object\",\n \"properties\": {\n \"actor\": {\n \"type\": \"object\",\n \"properties\": {\n \"alternate_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"display_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"authentication_context\": {\n \"type\": \"object\",\n \"properties\": {\n \"authentication_provider\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authentication_step\": {\n \"type\": \"long\"\n },\n \"credential_provider\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"credential_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"external_session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"client\": {\n \"type\": \"object\",\n \"properties\": {\n \"device\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"user_agent\": {\n \"type\": \"object\",\n \"properties\": {\n \"browser\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"os\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"raw_user_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"debug_context\": {\n \"type\": \"object\",\n \"properties\": {\n \"debug_data\": {\n \"type\": \"object\",\n \"properties\": {\n \"device_fingerprint\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"factor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"flattened\": {\n \"type\": \"flattened\"\n },\n \"request_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request_uri\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_behaviors\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_level\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_reasons\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"suspicious_activity\": {\n \"type\": \"object\",\n \"properties\": {\n \"browser\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_city\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_ip\": {\n \"type\": \"ip\"\n },\n \"event_latitude\": {\n \"type\": \"float\"\n },\n \"event_longitude\": {\n \"type\": \"float\"\n },\n \"event_state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_transaction_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"os\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n }\n }\n },\n \"threat_suspected\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"display_message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"outcome\": {\n \"type\": \"object\",\n \"properties\": {\n \"reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"request\": {\n \"type\": \"object\",\n \"properties\": {\n \"ip_chain\": {\n \"type\": \"flattened\"\n }\n }\n },\n \"security_context\": {\n \"type\": \"object\",\n \"properties\": {\n \"as\": {\n \"type\": \"object\",\n \"properties\": {\n \"number\": {\n \"type\": \"long\"\n },\n \"organization\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"is_proxy\": {\n \"type\": \"boolean\"\n },\n \"isp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"target\": {\n \"type\": \"flattened\"\n },\n \"transaction\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"oracle\": {\n \"type\": \"object\",\n \"properties\": {\n \"database_audit\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"action_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"terminal\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"comment_text\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"database\": {\n \"type\": \"object\",\n \"properties\": {\n \"host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"entry\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"entryid\": {\n \"type\": \"long\"\n },\n \"length\": {\n \"type\": \"long\"\n },\n \"logoff_dead\": {\n \"type\": \"long\"\n },\n \"logoff_lread\": {\n \"type\": \"long\"\n },\n \"logoff_lwrite\": {\n \"type\": \"long\"\n },\n \"logoff_pread\": {\n \"type\": \"long\"\n },\n \"os_userid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"priv_used\": {\n \"type\": \"long\"\n },\n \"privilege\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"returncode\": {\n \"type\": \"long\"\n },\n \"session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sessioncpu\": {\n \"type\": \"long\"\n },\n \"statement\": {\n \"type\": \"long\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"terminal\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"userid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"orchestrator\": {\n \"type\": \"object\",\n \"properties\": {\n \"api_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cluster\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"namespace\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resource\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"organization\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n }\n }\n },\n \"os\": {\n \"type\": \"object\",\n \"properties\": {\n \"family\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"kernel\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"platform\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"osquery\": {\n \"type\": \"object\",\n \"properties\": {\n \"result\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"calendar_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host_identifier\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"unix_time\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"package\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"build_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"checksum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"install_scope\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"installed\": {\n \"type\": \"date\"\n },\n \"license\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"size\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"panw\": {\n \"type\": \"object\",\n \"properties\": {\n \"panos\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"actionflags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"attempted_gateways\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"auth_method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_os\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_os_ver\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_ver\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connect_method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"datasource\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"datasourcename\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"datasourcetype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destination\": {\n \"type\": \"object\",\n \"properties\": {\n \"interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat\": {\n \"type\": \"object\",\n \"properties\": {\n \"ip\": {\n \"type\": \"ip\"\n },\n \"port\": {\n \"type\": \"long\"\n }\n }\n },\n \"zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"device_group_hierarchy\": {\n \"type\": \"object\",\n \"properties\": {\n \"level_1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"level_2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"level_3\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"level_4\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"endreason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"error\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"error_code\": {\n \"type\": \"long\"\n },\n \"factorcompletiontime\": {\n \"type\": \"date\"\n },\n \"factorno\": {\n \"type\": \"long\"\n },\n \"factortype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"flow_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"gateway\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"matchname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"matchtype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"network\": {\n \"type\": \"object\",\n \"properties\": {\n \"nat\": {\n \"type\": \"object\",\n \"properties\": {\n \"community_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"pcap_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"priority\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"repeatcnt\": {\n \"type\": \"long\"\n },\n \"response_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ruleset\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"selection_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sequence_number\": {\n \"type\": \"long\"\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source\": {\n \"type\": \"object\",\n \"properties\": {\n \"interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat\": {\n \"type\": \"object\",\n \"properties\": {\n \"ip\": {\n \"type\": \"ip\"\n },\n \"port\": {\n \"type\": \"long\"\n }\n }\n },\n \"zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"stage\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sub_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threat\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resource\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"timeout\": {\n \"type\": \"long\"\n },\n \"tunnel_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ugflags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"url\": {\n \"type\": \"object\",\n \"properties\": {\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"virtual_sys\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vsys_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vsys_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"pe\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"company\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"imphash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"original_file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"pensando\": {\n \"type\": \"object\",\n \"properties\": {\n \"dfw\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_id\": {\n \"type\": \"long\"\n },\n \"destination_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"destination_port\": {\n \"type\": \"long\"\n },\n \"direction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rule_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_id\": {\n \"type\": \"long\"\n },\n \"session_state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source_port\": {\n \"type\": \"long\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n }\n }\n }\n }\n },\n \"postgresql\": {\n \"type\": \"object\",\n \"properties\": {\n \"log\": {\n \"type\": \"object\",\n \"properties\": {\n \"application_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"backend_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_addr\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_port\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"command_tag\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"context\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"core_id\": {\n \"path\": \"postgresql.log.session_line_number\",\n \"type\": \"alias\"\n },\n \"database\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"detail\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"error\": {\n \"type\": \"object\",\n \"properties\": {\n \"code\": {\n \"path\": \"postgresql.log.sql_state_code\",\n \"type\": \"alias\"\n }\n }\n },\n \"hint\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"internal_query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"internal_query_pos\": {\n \"type\": \"long\"\n },\n \"location\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"query_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"query_pos\": {\n \"type\": \"long\"\n },\n \"query_step\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_line_number\": {\n \"type\": \"long\"\n },\n \"session_start_time\": {\n \"type\": \"date\"\n },\n \"sql_state_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"transaction_id\": {\n \"type\": \"long\"\n },\n \"virtual_transaction_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"process\": {\n \"type\": \"object\",\n \"properties\": {\n \"args\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"args_count\": {\n \"type\": \"long\"\n },\n \"code_signature\": {\n \"type\": \"object\",\n \"properties\": {\n \"digest_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"exists\": {\n \"type\": \"boolean\"\n },\n \"signing_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"team_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n },\n \"trusted\": {\n \"type\": \"boolean\"\n },\n \"valid\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"command_line\": {\n \"type\": \"wildcard\"\n },\n \"elf\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"byte_order\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cpu_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"creation_date\": {\n \"type\": \"date\"\n },\n \"exports\": {\n \"type\": \"flattened\"\n },\n \"header\": {\n \"type\": \"object\",\n \"properties\": {\n \"abi_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"entrypoint\": {\n \"type\": \"long\"\n },\n \"object_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"os_abi\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"imports\": {\n \"type\": \"flattened\"\n },\n \"sections\": {\n \"type\": \"nested\",\n \"properties\": {\n \"chi2\": {\n \"type\": \"long\"\n },\n \"entropy\": {\n \"type\": \"long\"\n },\n \"flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"physical_offset\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"physical_size\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virtual_address\": {\n \"type\": \"long\"\n },\n \"virtual_size\": {\n \"type\": \"long\"\n }\n }\n },\n \"segments\": {\n \"type\": \"nested\",\n \"properties\": {\n \"sections\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"shared_libraries\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"telfhash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"end\": {\n \"type\": \"date\"\n },\n \"entity_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"executable\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"exit_code\": {\n \"type\": \"long\"\n },\n \"hash\": {\n \"type\": \"object\",\n \"properties\": {\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha512\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssdeep\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"owner\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"norms\": false,\n \"type\": \"text\"\n }\n }\n }\n }\n },\n \"parent\": {\n \"type\": \"object\",\n \"properties\": {\n \"args\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"args_count\": {\n \"type\": \"long\"\n },\n \"code_signature\": {\n \"type\": \"object\",\n \"properties\": {\n \"digest_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"exists\": {\n \"type\": \"boolean\"\n },\n \"signing_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"team_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n },\n \"trusted\": {\n \"type\": \"boolean\"\n },\n \"valid\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"command_line\": {\n \"type\": \"wildcard\"\n },\n \"elf\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"byte_order\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cpu_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"creation_date\": {\n \"type\": \"date\"\n },\n \"exports\": {\n \"type\": \"flattened\"\n },\n \"header\": {\n \"type\": \"object\",\n \"properties\": {\n \"abi_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"entrypoint\": {\n \"type\": \"long\"\n },\n \"object_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"os_abi\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"imports\": {\n \"type\": \"flattened\"\n },\n \"sections\": {\n \"type\": \"nested\",\n \"properties\": {\n \"chi2\": {\n \"type\": \"long\"\n },\n \"entropy\": {\n \"type\": \"long\"\n },\n \"flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"physical_offset\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"physical_size\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virtual_address\": {\n \"type\": \"long\"\n },\n \"virtual_size\": {\n \"type\": \"long\"\n }\n }\n },\n \"segments\": {\n \"type\": \"nested\",\n \"properties\": {\n \"sections\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"shared_libraries\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"telfhash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"end\": {\n \"type\": \"date\"\n },\n \"entity_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"executable\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"exit_code\": {\n \"type\": \"long\"\n },\n \"hash\": {\n \"type\": \"object\",\n \"properties\": {\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha512\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssdeep\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"pe\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"company\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"imphash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"original_file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"pgid\": {\n \"type\": \"long\"\n },\n \"pid\": {\n \"type\": \"long\"\n },\n \"start\": {\n \"type\": \"date\"\n },\n \"thread\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"type\": \"long\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"title\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"uptime\": {\n \"type\": \"long\"\n },\n \"working_directory\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n }\n }\n },\n \"pe\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"company\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"imphash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"original_file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"pgid\": {\n \"type\": \"long\"\n },\n \"pid\": {\n \"type\": \"long\"\n },\n \"program\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"start\": {\n \"type\": \"date\"\n },\n \"thread\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"type\": \"long\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"title\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"uptime\": {\n \"type\": \"long\"\n },\n \"working_directory\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n }\n }\n },\n \"rabbitmq\": {\n \"type\": \"object\",\n \"properties\": {\n \"log\": {\n \"type\": \"object\",\n \"properties\": {\n \"pid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"redis\": {\n \"type\": \"object\",\n \"properties\": {\n \"log\": {\n \"type\": \"object\",\n \"properties\": {\n \"role\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"slowlog\": {\n \"type\": \"object\",\n \"properties\": {\n \"args\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cmd\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"duration\": {\n \"type\": \"object\",\n \"properties\": {\n \"us\": {\n \"type\": \"long\"\n }\n }\n },\n \"id\": {\n \"type\": \"long\"\n },\n \"key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"registry\": {\n \"type\": \"object\",\n \"properties\": {\n \"data\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"strings\": {\n \"type\": \"wildcard\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hive\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"related\": {\n \"type\": \"object\",\n \"properties\": {\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hosts\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"rsa\": {\n \"type\": \"object\",\n \"properties\": {\n \"counters\": {\n \"type\": \"object\",\n \"properties\": {\n \"dclass_c1\": {\n \"type\": \"long\"\n },\n \"dclass_c1_str\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dclass_c2\": {\n \"type\": \"long\"\n },\n \"dclass_c2_str\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dclass_c3\": {\n \"type\": \"long\"\n },\n \"dclass_c3_str\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dclass_r1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dclass_r1_str\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dclass_r2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dclass_r2_str\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dclass_r3\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dclass_r3_str\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_counter\": {\n \"type\": \"long\"\n }\n }\n },\n \"crypto\": {\n \"type\": \"object\",\n \"properties\": {\n \"cert_ca\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_checksum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_common\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_error\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_host_cat\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_host_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_issuer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_keysize\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_serial\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cipher_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cipher_size_dst\": {\n \"type\": \"long\"\n },\n \"cipher_size_src\": {\n \"type\": \"long\"\n },\n \"cipher_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"crypto\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"d_certauth\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"https_insact\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"https_valid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ike\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ike_cookie1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ike_cookie2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"peer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"peer_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"s_certauth\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scheme\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sig_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_ver_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl_ver_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"db\": {\n \"type\": \"object\",\n \"properties\": {\n \"database\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"db_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"db_pid\": {\n \"type\": \"long\"\n },\n \"index\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"instance\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"lread\": {\n \"type\": \"long\"\n },\n \"lwrite\": {\n \"type\": \"long\"\n },\n \"permissions\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pread\": {\n \"type\": \"long\"\n },\n \"table_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"transact_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"email\": {\n \"type\": \"object\",\n \"properties\": {\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trans_from\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trans_to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"endpoint\": {\n \"type\": \"object\",\n \"properties\": {\n \"host_state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"registry_key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"registry_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"attachment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"binary\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"directory_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"directory_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_entropy\": {\n \"type\": \"double\"\n },\n \"file_vendor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filename_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filename_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filename_tmp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filesystem\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"privilege\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"task_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"healthcare\": {\n \"type\": \"object\",\n \"properties\": {\n \"patient_fname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"patient_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"patient_lname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"patient_mname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"identity\": {\n \"type\": \"object\",\n \"properties\": {\n \"accesses\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"auth_method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dn_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dn_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"federated_idp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"federated_sp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"firstname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host_role\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"lastname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ldap\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ldap_query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ldap_response\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"logon_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"logon_type_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"middlename\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"org\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"owner\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"password\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"profile\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"realm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service_account\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_dept\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_role\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_sid_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_sid_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"internal\": {\n \"type\": \"object\",\n \"properties\": {\n \"audit_class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dead\": {\n \"type\": \"long\"\n },\n \"device_class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"device_group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"device_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"device_ip\": {\n \"type\": \"ip\"\n },\n \"device_ipv6\": {\n \"type\": \"ip\"\n },\n \"device_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"device_type_id\": {\n \"type\": \"long\"\n },\n \"did\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"entropy_req\": {\n \"type\": \"long\"\n },\n \"entropy_res\": {\n \"type\": \"long\"\n },\n \"entry\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"feed_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"feed_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"feed_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"forward_ip\": {\n \"type\": \"ip\"\n },\n \"forward_ipv6\": {\n \"type\": \"ip\"\n },\n \"hcode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"header_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"inode\": {\n \"type\": \"long\"\n },\n \"lc_cid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"lc_ctime\": {\n \"type\": \"date\"\n },\n \"level\": {\n \"type\": \"long\"\n },\n \"mcb_req\": {\n \"type\": \"long\"\n },\n \"mcb_res\": {\n \"type\": \"long\"\n },\n \"mcbc_req\": {\n \"type\": \"long\"\n },\n \"mcbc_res\": {\n \"type\": \"long\"\n },\n \"medium\": {\n \"type\": \"long\"\n },\n \"message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"messageid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msg_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msg_vid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"node_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nwe_callback_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"obj_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"obj_server\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"obj_val\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"parse_error\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"payload_req\": {\n \"type\": \"long\"\n },\n \"payload_res\": {\n \"type\": \"long\"\n },\n \"process_vid_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"process_vid_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resource\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resource_class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rid\": {\n \"type\": \"long\"\n },\n \"session_split\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"site\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"size\": {\n \"type\": \"long\"\n },\n \"sourcefile\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"statement\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"time\": {\n \"type\": \"date\"\n },\n \"ubc_req\": {\n \"type\": \"long\"\n },\n \"ubc_res\": {\n \"type\": \"long\"\n },\n \"word\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"investigations\": {\n \"type\": \"object\",\n \"properties\": {\n \"analysis_file\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"analysis_service\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"analysis_session\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"boc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ec_activity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ec_outcome\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ec_subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ec_theme\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"eoc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_cat\": {\n \"type\": \"long\"\n },\n \"event_cat_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_vcat\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"inv_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"inv_context\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ioc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"misc\": {\n \"type\": \"object\",\n \"properties\": {\n \"OS\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"acl_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"acl_op\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"acl_pos\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"acl_table\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"admin\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"agent_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"alarm_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"alarmname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"alert_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"audit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"audit_object\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"auditdata\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"autorun_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"benchmark\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"bypass\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cache\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cache_hit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cc_number\": {\n \"type\": \"long\"\n },\n \"cefversion\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cfg_attr\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cfg_obj\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cfg_path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"change_attrib\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"change_new\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"change_old\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"changes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"checksum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"checksum_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"checksum_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_ip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"clustermembers\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cmd\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_acttimeout\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_asn_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_bgpv4nxthop\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_ctr_dst_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_dst_tos\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_dst_vlan\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_engine_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_engine_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_f_switch\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_flowsampid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_flowsampintv\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_flowsampmode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_inacttimeout\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_inpermbyts\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_inpermpckts\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_invalid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_ip_proto_ver\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_ipv4_ident\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_l_switch\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_log_did\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_log_rid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_max_ttl\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_maxpcktlen\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_min_ttl\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_minpcktlen\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mpls_lbl_1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mpls_lbl_10\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mpls_lbl_2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mpls_lbl_3\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mpls_lbl_4\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mpls_lbl_5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mpls_lbl_6\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mpls_lbl_7\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mpls_lbl_8\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mpls_lbl_9\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mplstoplabel\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mplstoplabip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mul_dst_byt\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_mul_dst_pks\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_muligmptype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_sampalgo\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_sampint\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_seqctr\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_spackets\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_src_tos\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_src_vlan\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_sysuptime\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_template_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_totbytsexp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_totflowexp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_totpcktsexp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_unixnanosecs\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_v6flowlabel\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_v6optheaders\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"command\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"comments\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"comp_class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"comp_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"comp_rbytes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"comp_sbytes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"comp_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connection_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"content\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"content_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"content_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"context\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"context_subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"context_target\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"count\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cpu\": {\n \"type\": \"long\"\n },\n \"cpu_data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"criticality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_agency_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_analyzedby\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_av_other\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_av_primary\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_av_secondary\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_bgpv6nxthop\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_bit9status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_context\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_control\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_datecret\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_dst_tld\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_eth_dst_ven\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_eth_src_ven\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_event_uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_filetype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_fld\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_if_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_if_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_ip_next_hop\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_ipv4dstpre\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_ipv4srcpre\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_lifetime\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_log_medium\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_loginname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_modulescore\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_modulesign\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_opswatresult\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_payload\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_registrant\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_registrar\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_represult\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_rpayload\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_sampler_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_sourcemodule\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_streams\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_targetmodule\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_v6nxthop\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_whois_server\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cs_yararesult\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"data_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"device_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"devvendor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"disposition\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distance\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"doc_number\": {\n \"type\": \"long\"\n },\n \"dstburb\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"edomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"edomaub\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ein_number\": {\n \"type\": \"long\"\n },\n \"error\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"euid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_computer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_log\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"expected_val\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"facility\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"facilityname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fcatnum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filter\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"finterface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"forensic_info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"found\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fresult\": {\n \"type\": \"long\"\n },\n \"gaddr\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"group_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"group_object\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hardware_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id3\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"im_buddyid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"im_buddyname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"im_client\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"im_croomid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"im_croomtype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"im_members\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"im_userid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"im_username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"index\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"inout\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ipkt\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ipscat\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ipspri\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"job_num\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"jobname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"language\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"latitude\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"library\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"lifetime\": {\n \"type\": \"long\"\n },\n \"linenum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"link\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"list_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"listnum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"load_data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"location_floor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"location_mark\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_session_id1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"logid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"logip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"logname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"longitude\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"lport\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mail_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"match\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mbug_data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message_body\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"misc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"misc_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msgIdPart1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msgIdPart2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msgIdPart3\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msgIdPart4\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msg_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msgid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netsessid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"node\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ntype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"num\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"number1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"number2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nwwn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"obj_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"obj_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"object\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"observed_val\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operation\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operation_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"opkt\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"orig_from\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"owner_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_filter\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_group_object\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_msgid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_msgid1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_msgid2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_result1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"param\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"param_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"param_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"parent_node\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"password_chg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"password_expire\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"payload_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"payload_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"permgranted\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"permwanted\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pgid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"phone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"policy\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"policyUUID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"policy_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"policy_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"policy_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"policy_waiver\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pool_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pool_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"port_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"priority\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"process_id_val\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"prog_asp_num\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"program\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"real_data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rec_asp_device\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rec_asp_num\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rec_library\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"recordnum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reference_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reference_id1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reference_id2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_num\": {\n \"type\": \"double\"\n },\n \"risk_num_comm\": {\n \"type\": \"double\"\n },\n \"risk_num_next\": {\n \"type\": \"double\"\n },\n \"risk_num_sand\": {\n \"type\": \"double\"\n },\n \"risk_num_static\": {\n \"type\": \"double\"\n },\n \"risk_suspicious\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"risk_warning\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ruid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rule\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rule_group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rule_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rule_template\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rule_uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sburb\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sdomain_fld\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"search_text\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sec\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"second\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sensor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sensorname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"seqnum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sessiontype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sigUUID\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sig_id\": {\n \"type\": \"long\"\n },\n \"sig_id1\": {\n \"type\": \"long\"\n },\n \"sig_id_str\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sig_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sigcat\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"snmp_oid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"snmp_value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"space\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"space1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"spi\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"spi_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"spi_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sql\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srcburb\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srcdom\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"srcservice\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"streams\": {\n \"type\": \"long\"\n },\n \"subcategory\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"svcno\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"system\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tbdstr1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tbdstr2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tcp_flags\": {\n \"type\": \"long\"\n },\n \"terminal\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tgtdom\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tgtdomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threshold\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tos\": {\n \"type\": \"long\"\n },\n \"trigger_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trigger_val\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"udb_class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"url_fld\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_div\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"userid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"username_fld\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"utcstamp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"v_instafname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virt_data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virusname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vm_target\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vpnid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vsys\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vuln_ref\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"workspace\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"network\": {\n \"type\": \"object\",\n \"properties\": {\n \"ad_computer_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"addr\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"alias_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dinterface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dmask\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_a_record\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_cname_record\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_opcode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_ptr_record\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_resp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"domain1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"eth_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"eth_type\": {\n \"type\": \"long\"\n },\n \"faddr\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fhost\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fport\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"gateway\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host_orig\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmp_code\": {\n \"type\": \"long\"\n },\n \"icmp_type\": {\n \"type\": \"long\"\n },\n \"interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ip_proto\": {\n \"type\": \"long\"\n },\n \"laddr\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"lhost\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"linterface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mask\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"network_port\": {\n \"type\": \"long\"\n },\n \"network_service\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"origin\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"packet_length\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"paddr\": {\n \"type\": \"ip\"\n },\n \"phost\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"port\": {\n \"type\": \"long\"\n },\n \"protocol_detail\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"remote_domain_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rpayload\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sinterface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"smask\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vlan\": {\n \"type\": \"long\"\n },\n \"vlan_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"zone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"zone_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"zone_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"physical\": {\n \"type\": \"object\",\n \"properties\": {\n \"org_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"org_src\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"storage\": {\n \"type\": \"object\",\n \"properties\": {\n \"disk_volume\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"lun\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pwwn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"threat\": {\n \"type\": \"object\",\n \"properties\": {\n \"alert\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threat_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threat_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threat_source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"time\": {\n \"type\": \"object\",\n \"properties\": {\n \"date\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"datetime\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"day\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"duration_str\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"duration_time\": {\n \"type\": \"double\"\n },\n \"effective_time\": {\n \"type\": \"date\"\n },\n \"endtime\": {\n \"type\": \"date\"\n },\n \"event_queue_time\": {\n \"type\": \"date\"\n },\n \"event_time\": {\n \"type\": \"date\"\n },\n \"event_time_str\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"eventtime\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"expire_time\": {\n \"type\": \"date\"\n },\n \"expire_time_str\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"gmtdate\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"gmttime\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hour\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"min\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"month\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_date\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_month\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_time1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_time2\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_year\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"process_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"recorded_time\": {\n \"type\": \"date\"\n },\n \"stamp\": {\n \"type\": \"date\"\n },\n \"starttime\": {\n \"type\": \"date\"\n },\n \"timestamp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tzone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"year\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"web\": {\n \"type\": \"object\",\n \"properties\": {\n \"alias_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_asn_dst\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cn_rpackets\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fqdn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_user_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_web_cookie\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_web_method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"p_web_referer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"remote_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reputation_num\": {\n \"type\": \"double\"\n },\n \"urlpage\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"urlroot\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"web_cookie\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"web_extension_tmp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"web_page\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"web_ref_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"web_ref_page\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"web_ref_query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"web_ref_root\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"wireless\": {\n \"type\": \"object\",\n \"properties\": {\n \"access_point\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"wlan_channel\": {\n \"type\": \"long\"\n },\n \"wlan_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"wlan_ssid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"rule\": {\n \"type\": \"object\",\n \"properties\": {\n \"author\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"license\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ruleset\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"salesforce\": {\n \"type\": \"object\",\n \"properties\": {\n \"access_mode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"apex\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"callout_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"class_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cpu_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"db_blocks\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"db_cpu_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"db_total_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"entity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"entity_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"entry_point\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"execute_ms\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fetch_ms\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filter\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"is_long_running_request\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"limit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"limit_usage_percent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"login_key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"media_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"method_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"number_fields\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"number_soql_queries\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"offset\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"orderby\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"quiddity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"rows\": {\n \"type\": \"object\",\n \"properties\": {\n \"fetched\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"processed\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"total\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"run_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"select\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subqueries\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"throughput\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trigger\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uri\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uri_id_derived\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_id_derived\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"login\": {\n \"type\": \"object\",\n \"properties\": {\n \"api_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"api_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"auth_method_reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"auth_service_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"authentication_method_reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_ip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cpu_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"created_by_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"db_total_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"evaluation_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"login_geo_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"login_history_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"login_key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"login_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"policy_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"policy_outcome\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"related_event_identifier\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"run_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_level\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uri_id_derived\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_id_derived\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"logout\": {\n \"type\": \"object\",\n \"properties\": {\n \"api_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"api_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"browser_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"created_by_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"login_key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization_by_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"platform_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"related_event_identifier\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"replay_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resolution_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"schema\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_level\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_id_derived\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_initiated_logout\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"setup_audit_trail\": {\n \"type\": \"object\",\n \"properties\": {\n \"created_by_context\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"created_by_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"created_by_issuer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"delegate_user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"display\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"responsible_namespace_prefix\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"section\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"santa\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"certificate\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"decision\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"disk\": {\n \"type\": \"object\",\n \"properties\": {\n \"bsdname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"bus\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fs\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"model\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mount\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"serial\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"volume\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"mode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"server\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"as\": {\n \"type\": \"object\",\n \"properties\": {\n \"number\": {\n \"type\": \"long\"\n },\n \"organization\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n }\n }\n }\n }\n },\n \"bytes\": {\n \"type\": \"long\"\n },\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"geo\": {\n \"type\": \"object\",\n \"properties\": {\n \"city_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"location\": {\n \"type\": \"geo_point\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"postal_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"mac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat\": {\n \"type\": \"object\",\n \"properties\": {\n \"ip\": {\n \"type\": \"ip\"\n },\n \"port\": {\n \"type\": \"long\"\n }\n }\n },\n \"packets\": {\n \"type\": \"long\"\n },\n \"port\": {\n \"type\": \"long\"\n },\n \"registered_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subdomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"top_level_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"roles\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"service\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"environment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ephemeral_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"node\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"origin\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"environment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ephemeral_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"node\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"target\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"environment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ephemeral_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"node\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"snyk\": {\n \"type\": \"object\",\n \"properties\": {\n \"audit\": {\n \"type\": \"object\",\n \"properties\": {\n \"content\": {\n \"type\": \"flattened\"\n },\n \"org_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"project_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"projects\": {\n \"type\": \"flattened\"\n },\n \"related\": {\n \"type\": \"object\",\n \"properties\": {\n \"projects\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"vulnerabilities\": {\n \"type\": \"object\",\n \"properties\": {\n \"credit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cvss3\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"disclosure_time\": {\n \"type\": \"date\"\n },\n \"exploit_maturity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identifiers\": {\n \"type\": \"object\",\n \"properties\": {\n \"alternative\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cwe\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"introduced_date\": {\n \"type\": \"date\"\n },\n \"is_fixed\": {\n \"type\": \"boolean\"\n },\n \"is_ignored\": {\n \"type\": \"boolean\"\n },\n \"is_patchable\": {\n \"type\": \"boolean\"\n },\n \"is_patched\": {\n \"type\": \"boolean\"\n },\n \"is_pinnable\": {\n \"type\": \"boolean\"\n },\n \"is_upgradable\": {\n \"type\": \"boolean\"\n },\n \"jira_issue_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"language\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"original_severity\": {\n \"type\": \"long\"\n },\n \"package\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"package_manager\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"patches\": {\n \"type\": \"flattened\"\n },\n \"priority_score\": {\n \"type\": \"long\"\n },\n \"publication_time\": {\n \"type\": \"date\"\n },\n \"reachability\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"semver\": {\n \"type\": \"flattened\"\n },\n \"title\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"unique_severities_list\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"sophos\": {\n \"type\": \"object\",\n \"properties\": {\n \"xg\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"activityname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ap\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_filter_policy_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_is_cloud\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_resolved_by\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_risk\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_technology\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"appfilter_policy_id\": {\n \"type\": \"long\"\n },\n \"application\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_filter_policy\": {\n \"type\": \"long\"\n },\n \"application_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_risk\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"application_technology\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"appresolvedby\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"auth_client\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"auth_mechanism\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"av_policy_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"backup_mode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"branch_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"category_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"classification\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_host_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_physical_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"clients_conn_ssid\": {\n \"type\": \"long\"\n },\n \"collisions\": {\n \"type\": \"long\"\n },\n \"con_event\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"con_id\": {\n \"type\": \"long\"\n },\n \"configuration\": {\n \"type\": \"float\"\n },\n \"conn_id\": {\n \"type\": \"long\"\n },\n \"connectionname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connectiontype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connevent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"content_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"contenttype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"context_match\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"context_prefix\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"context_suffix\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cookie\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"date\": {\n \"type\": \"date\"\n },\n \"destinationip\": {\n \"type\": \"ip\"\n },\n \"device\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"device_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"device_model\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"device_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dictionary_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dir_disp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"direction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"domainname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"download_file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"download_file_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dst_country_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dst_domainname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dst_ip\": {\n \"type\": \"ip\"\n },\n \"dst_port\": {\n \"type\": \"long\"\n },\n \"dst_zone_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dstdomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"duration\": {\n \"type\": \"long\"\n },\n \"email_subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ep_uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ether_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"eventid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"eventtime\": {\n \"type\": \"date\"\n },\n \"eventtype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"exceptions\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"execution_path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extra\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_size\": {\n \"type\": \"long\"\n },\n \"filename\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filepath\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filesize\": {\n \"type\": \"long\"\n },\n \"free\": {\n \"type\": \"long\"\n },\n \"from_email_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ftp_direction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ftp_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ftpcommand\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fw_rule_id\": {\n \"type\": \"long\"\n },\n \"fw_rule_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hb_health\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hb_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http_category_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"httpresponsecode\": {\n \"type\": \"long\"\n },\n \"iap\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmp_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmp_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"idle_cpu\": {\n \"type\": \"float\"\n },\n \"idp_policy_id\": {\n \"type\": \"long\"\n },\n \"idp_policy_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"in_interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ipaddress\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ips_policy_id\": {\n \"type\": \"long\"\n },\n \"lease_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"localgateway\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"localnetwork\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_component\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_subtype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"login_user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mailid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mailsize\": {\n \"type\": \"long\"\n },\n \"message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat_rule_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"newversion\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"oldversion\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"out_interface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"override_authorizer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"override_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"override_token\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"phpsessid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"platform\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"policy_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"priority\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"qualifier\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"quarantine\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"quarantine_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"querystring\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"raw_data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"received_pkts\": {\n \"type\": \"long\"\n },\n \"receiveddrops\": {\n \"type\": \"long\"\n },\n \"receivederrors\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"receivedkbits\": {\n \"type\": \"long\"\n },\n \"recv_bytes\": {\n \"type\": \"long\"\n },\n \"red_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"referer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"remote_ip\": {\n \"type\": \"ip\"\n },\n \"remotenetwork\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reported_host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reported_ip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reports\": {\n \"type\": \"float\"\n },\n \"rule_priority\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sent_bytes\": {\n \"type\": \"long\"\n },\n \"sent_pkts\": {\n \"type\": \"long\"\n },\n \"server\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sessionid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1sum\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature\": {\n \"type\": \"float\"\n },\n \"signature_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"site_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sourceip\": {\n \"type\": \"ip\"\n },\n \"spamaction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sqli\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_country_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_domainname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_ip\": {\n \"type\": \"ip\"\n },\n \"src_mac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"src_port\": {\n \"type\": \"long\"\n },\n \"src_zone_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"start_time\": {\n \"type\": \"date\"\n },\n \"starttime\": {\n \"type\": \"date\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"syslog_server_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"system_cpu\": {\n \"type\": \"float\"\n },\n \"target\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"temp\": {\n \"type\": \"float\"\n },\n \"threatname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"to_email_address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"total_memory\": {\n \"type\": \"long\"\n },\n \"trans_dst_ip\": {\n \"type\": \"ip\"\n },\n \"trans_dst_port\": {\n \"type\": \"long\"\n },\n \"trans_src_ip\": {\n \"type\": \"ip\"\n },\n \"trans_src_port\": {\n \"type\": \"long\"\n },\n \"transaction_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"transactionid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"transmitteddrops\": {\n \"type\": \"long\"\n },\n \"transmittederrors\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"transmittedkbits\": {\n \"type\": \"long\"\n },\n \"unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"updatedip\": {\n \"type\": \"ip\"\n },\n \"upload_file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"upload_file_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"used\": {\n \"type\": \"long\"\n },\n \"used_quota\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_cpu\": {\n \"type\": \"float\"\n },\n \"user_gp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"users\": {\n \"type\": \"long\"\n },\n \"vconn_id\": {\n \"type\": \"long\"\n },\n \"virus\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"web_policy_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"website\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"xss\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"source\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"as\": {\n \"type\": \"object\",\n \"properties\": {\n \"number\": {\n \"type\": \"long\"\n },\n \"organization\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n }\n }\n }\n }\n },\n \"bytes\": {\n \"type\": \"long\"\n },\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"geo\": {\n \"type\": \"object\",\n \"properties\": {\n \"city_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"location\": {\n \"type\": \"geo_point\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"postal_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"mac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nat\": {\n \"type\": \"object\",\n \"properties\": {\n \"ip\": {\n \"type\": \"ip\"\n },\n \"port\": {\n \"type\": \"long\"\n }\n }\n },\n \"packets\": {\n \"type\": \"long\"\n },\n \"port\": {\n \"type\": \"long\"\n },\n \"registered_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"subdomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"top_level_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"roles\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"span\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"stream\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"suricata\": {\n \"type\": \"object\",\n \"properties\": {\n \"eve\": {\n \"type\": \"object\",\n \"properties\": {\n \"alert\": {\n \"type\": \"object\",\n \"properties\": {\n \"affected_product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"attack_target\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"capec_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"classtype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"created_at\": {\n \"type\": \"date\"\n },\n \"cve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cvss_v2_base\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cvss_v2_temporal\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cvss_v3_base\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cvss_v3_temporal\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cwe_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"deployment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"former_category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"gid\": {\n \"type\": \"long\"\n },\n \"hostile\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"infected\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"malware\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"metadata\": {\n \"type\": \"flattened\"\n },\n \"mitre_tool_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"performance_impact\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"priority\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protocols\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rev\": {\n \"type\": \"long\"\n },\n \"rule_source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_id\": {\n \"type\": \"long\"\n },\n \"signature_severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tag\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"updated_at\": {\n \"type\": \"date\"\n }\n }\n },\n \"app_proto_expected\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_proto_orig\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_proto_tc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"app_proto_ts\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dns\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"type\": \"long\"\n },\n \"rcode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rdata\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rrname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rrtype\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ttl\": {\n \"type\": \"long\"\n },\n \"tx_id\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"email\": {\n \"type\": \"object\",\n \"properties\": {\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"event_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fileinfo\": {\n \"type\": \"object\",\n \"properties\": {\n \"gaps\": {\n \"type\": \"boolean\"\n },\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"stored\": {\n \"type\": \"boolean\"\n },\n \"tx_id\": {\n \"type\": \"long\"\n }\n }\n },\n \"flow\": {\n \"type\": \"object\",\n \"properties\": {\n \"age\": {\n \"type\": \"long\"\n },\n \"alerted\": {\n \"type\": \"boolean\"\n },\n \"reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"flow_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"http\": {\n \"type\": \"object\",\n \"properties\": {\n \"http_content_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"redirect\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"icmp_code\": {\n \"type\": \"long\"\n },\n \"icmp_type\": {\n \"type\": \"long\"\n },\n \"in_iface\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pcap_cnt\": {\n \"type\": \"long\"\n },\n \"smtp\": {\n \"type\": \"object\",\n \"properties\": {\n \"helo\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mail_from\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rcpt_to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"ssh\": {\n \"type\": \"object\",\n \"properties\": {\n \"client\": {\n \"type\": \"object\",\n \"properties\": {\n \"proto_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"software_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"server\": {\n \"type\": \"object\",\n \"properties\": {\n \"proto_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"software_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"stats\": {\n \"type\": \"object\",\n \"properties\": {\n \"app_layer\": {\n \"type\": \"object\",\n \"properties\": {\n \"flow\": {\n \"type\": \"object\",\n \"properties\": {\n \"dcerpc_tcp\": {\n \"type\": \"long\"\n },\n \"dcerpc_udp\": {\n \"type\": \"long\"\n },\n \"dns_tcp\": {\n \"type\": \"long\"\n },\n \"dns_udp\": {\n \"type\": \"long\"\n },\n \"failed_tcp\": {\n \"type\": \"long\"\n },\n \"failed_udp\": {\n \"type\": \"long\"\n },\n \"ftp\": {\n \"type\": \"long\"\n },\n \"http\": {\n \"type\": \"long\"\n },\n \"imap\": {\n \"type\": \"long\"\n },\n \"msn\": {\n \"type\": \"long\"\n },\n \"smb\": {\n \"type\": \"long\"\n },\n \"smtp\": {\n \"type\": \"long\"\n },\n \"ssh\": {\n \"type\": \"long\"\n },\n \"tls\": {\n \"type\": \"long\"\n }\n }\n },\n \"tx\": {\n \"type\": \"object\",\n \"properties\": {\n \"dcerpc_tcp\": {\n \"type\": \"long\"\n },\n \"dcerpc_udp\": {\n \"type\": \"long\"\n },\n \"dns_tcp\": {\n \"type\": \"long\"\n },\n \"dns_udp\": {\n \"type\": \"long\"\n },\n \"ftp\": {\n \"type\": \"long\"\n },\n \"http\": {\n \"type\": \"long\"\n },\n \"smb\": {\n \"type\": \"long\"\n },\n \"smtp\": {\n \"type\": \"long\"\n },\n \"ssh\": {\n \"type\": \"long\"\n },\n \"tls\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"capture\": {\n \"type\": \"object\",\n \"properties\": {\n \"kernel_drops\": {\n \"type\": \"long\"\n },\n \"kernel_ifdrops\": {\n \"type\": \"long\"\n },\n \"kernel_packets\": {\n \"type\": \"long\"\n }\n }\n },\n \"decoder\": {\n \"type\": \"object\",\n \"properties\": {\n \"avg_pkt_size\": {\n \"type\": \"long\"\n },\n \"bytes\": {\n \"type\": \"long\"\n },\n \"dce\": {\n \"type\": \"object\",\n \"properties\": {\n \"pkt_too_small\": {\n \"type\": \"long\"\n }\n }\n },\n \"erspan\": {\n \"type\": \"long\"\n },\n \"ethernet\": {\n \"type\": \"long\"\n },\n \"gre\": {\n \"type\": \"long\"\n },\n \"icmpv4\": {\n \"type\": \"long\"\n },\n \"icmpv6\": {\n \"type\": \"long\"\n },\n \"ieee8021ah\": {\n \"type\": \"long\"\n },\n \"invalid\": {\n \"type\": \"long\"\n },\n \"ipraw\": {\n \"type\": \"object\",\n \"properties\": {\n \"invalid_ip_version\": {\n \"type\": \"long\"\n }\n }\n },\n \"ipv4\": {\n \"type\": \"long\"\n },\n \"ipv4_in_ipv6\": {\n \"type\": \"long\"\n },\n \"ipv6\": {\n \"type\": \"long\"\n },\n \"ipv6_in_ipv6\": {\n \"type\": \"long\"\n },\n \"ltnull\": {\n \"type\": \"object\",\n \"properties\": {\n \"pkt_too_small\": {\n \"type\": \"long\"\n },\n \"unsupported_type\": {\n \"type\": \"long\"\n }\n }\n },\n \"max_pkt_size\": {\n \"type\": \"long\"\n },\n \"mpls\": {\n \"type\": \"long\"\n },\n \"null\": {\n \"type\": \"long\"\n },\n \"pkts\": {\n \"type\": \"long\"\n },\n \"ppp\": {\n \"type\": \"long\"\n },\n \"pppoe\": {\n \"type\": \"long\"\n },\n \"raw\": {\n \"type\": \"long\"\n },\n \"sctp\": {\n \"type\": \"long\"\n },\n \"sll\": {\n \"type\": \"long\"\n },\n \"tcp\": {\n \"type\": \"long\"\n },\n \"teredo\": {\n \"type\": \"long\"\n },\n \"udp\": {\n \"type\": \"long\"\n },\n \"vlan\": {\n \"type\": \"long\"\n },\n \"vlan_qinq\": {\n \"type\": \"long\"\n }\n }\n },\n \"defrag\": {\n \"type\": \"object\",\n \"properties\": {\n \"ipv4\": {\n \"type\": \"object\",\n \"properties\": {\n \"fragments\": {\n \"type\": \"long\"\n },\n \"reassembled\": {\n \"type\": \"long\"\n },\n \"timeouts\": {\n \"type\": \"long\"\n }\n }\n },\n \"ipv6\": {\n \"type\": \"object\",\n \"properties\": {\n \"fragments\": {\n \"type\": \"long\"\n },\n \"reassembled\": {\n \"type\": \"long\"\n },\n \"timeouts\": {\n \"type\": \"long\"\n }\n }\n },\n \"max_frag_hits\": {\n \"type\": \"long\"\n }\n }\n },\n \"detect\": {\n \"type\": \"object\",\n \"properties\": {\n \"alert\": {\n \"type\": \"long\"\n }\n }\n },\n \"dns\": {\n \"type\": \"object\",\n \"properties\": {\n \"memcap_global\": {\n \"type\": \"long\"\n },\n \"memcap_state\": {\n \"type\": \"long\"\n },\n \"memuse\": {\n \"type\": \"long\"\n }\n }\n },\n \"file_store\": {\n \"type\": \"object\",\n \"properties\": {\n \"open_files\": {\n \"type\": \"long\"\n }\n }\n },\n \"flow\": {\n \"type\": \"object\",\n \"properties\": {\n \"emerg_mode_entered\": {\n \"type\": \"long\"\n },\n \"emerg_mode_over\": {\n \"type\": \"long\"\n },\n \"icmpv4\": {\n \"type\": \"long\"\n },\n \"icmpv6\": {\n \"type\": \"long\"\n },\n \"memcap\": {\n \"type\": \"long\"\n },\n \"memuse\": {\n \"type\": \"long\"\n },\n \"spare\": {\n \"type\": \"long\"\n },\n \"tcp\": {\n \"type\": \"long\"\n },\n \"tcp_reuse\": {\n \"type\": \"long\"\n },\n \"udp\": {\n \"type\": \"long\"\n }\n }\n },\n \"flow_mgr\": {\n \"type\": \"object\",\n \"properties\": {\n \"bypassed_pruned\": {\n \"type\": \"long\"\n },\n \"closed_pruned\": {\n \"type\": \"long\"\n },\n \"est_pruned\": {\n \"type\": \"long\"\n },\n \"flows_checked\": {\n \"type\": \"long\"\n },\n \"flows_notimeout\": {\n \"type\": \"long\"\n },\n \"flows_removed\": {\n \"type\": \"long\"\n },\n \"flows_timeout\": {\n \"type\": \"long\"\n },\n \"flows_timeout_inuse\": {\n \"type\": \"long\"\n },\n \"new_pruned\": {\n \"type\": \"long\"\n },\n \"rows_busy\": {\n \"type\": \"long\"\n },\n \"rows_checked\": {\n \"type\": \"long\"\n },\n \"rows_empty\": {\n \"type\": \"long\"\n },\n \"rows_maxlen\": {\n \"type\": \"long\"\n },\n \"rows_skipped\": {\n \"type\": \"long\"\n }\n }\n },\n \"http\": {\n \"type\": \"object\",\n \"properties\": {\n \"memcap\": {\n \"type\": \"long\"\n },\n \"memuse\": {\n \"type\": \"long\"\n }\n }\n },\n \"tcp\": {\n \"type\": \"object\",\n \"properties\": {\n \"insert_data_normal_fail\": {\n \"type\": \"long\"\n },\n \"insert_data_overlap_fail\": {\n \"type\": \"long\"\n },\n \"insert_list_fail\": {\n \"type\": \"long\"\n },\n \"invalid_checksum\": {\n \"type\": \"long\"\n },\n \"memuse\": {\n \"type\": \"long\"\n },\n \"no_flow\": {\n \"type\": \"long\"\n },\n \"overlap\": {\n \"type\": \"long\"\n },\n \"overlap_diff_data\": {\n \"type\": \"long\"\n },\n \"pseudo\": {\n \"type\": \"long\"\n },\n \"pseudo_failed\": {\n \"type\": \"long\"\n },\n \"reassembly_gap\": {\n \"type\": \"long\"\n },\n \"reassembly_memuse\": {\n \"type\": \"long\"\n },\n \"rst\": {\n \"type\": \"long\"\n },\n \"segment_memcap_drop\": {\n \"type\": \"long\"\n },\n \"sessions\": {\n \"type\": \"long\"\n },\n \"ssn_memcap_drop\": {\n \"type\": \"long\"\n },\n \"stream_depth_reached\": {\n \"type\": \"long\"\n },\n \"syn\": {\n \"type\": \"long\"\n },\n \"synack\": {\n \"type\": \"long\"\n }\n }\n },\n \"uptime\": {\n \"type\": \"long\"\n }\n }\n },\n \"tcp\": {\n \"type\": \"object\",\n \"properties\": {\n \"ack\": {\n \"type\": \"boolean\"\n },\n \"fin\": {\n \"type\": \"boolean\"\n },\n \"psh\": {\n \"type\": \"boolean\"\n },\n \"rst\": {\n \"type\": \"boolean\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"syn\": {\n \"type\": \"boolean\"\n },\n \"tcp_flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tcp_flags_tc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tcp_flags_ts\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"tls\": {\n \"type\": \"object\",\n \"properties\": {\n \"fingerprint\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuerdn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ja3\": {\n \"type\": \"object\",\n \"properties\": {\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"string\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"ja3s\": {\n \"type\": \"object\",\n \"properties\": {\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"string\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"notafter\": {\n \"type\": \"date\"\n },\n \"notbefore\": {\n \"type\": \"date\"\n },\n \"serial\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_resumed\": {\n \"type\": \"boolean\"\n },\n \"sni\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"tx_id\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"syslog\": {\n \"type\": \"object\",\n \"properties\": {\n \"facility\": {\n \"type\": \"long\"\n },\n \"facility_label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"priority\": {\n \"type\": \"long\"\n },\n \"severity_label\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"system\": {\n \"type\": \"object\",\n \"properties\": {\n \"auth\": {\n \"type\": \"object\",\n \"properties\": {\n \"ssh\": {\n \"type\": \"object\",\n \"properties\": {\n \"dropped_ip\": {\n \"type\": \"ip\"\n },\n \"event\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"sudo\": {\n \"type\": \"object\",\n \"properties\": {\n \"command\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"error\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pwd\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tty\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"useradd\": {\n \"type\": \"object\",\n \"properties\": {\n \"home\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"shell\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n },\n \"tags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"threat\": {\n \"type\": \"object\",\n \"properties\": {\n \"enrichments\": {\n \"type\": \"nested\",\n \"properties\": {\n \"indicator\": {\n \"type\": \"object\",\n \"properties\": {\n \"as\": {\n \"type\": \"object\",\n \"properties\": {\n \"number\": {\n \"type\": \"long\"\n },\n \"organization\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n }\n }\n }\n }\n },\n \"confidence\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"accessed\": {\n \"type\": \"date\"\n },\n \"attributes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"code_signature\": {\n \"type\": \"object\",\n \"properties\": {\n \"digest_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"exists\": {\n \"type\": \"boolean\"\n },\n \"signing_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"team_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n },\n \"trusted\": {\n \"type\": \"boolean\"\n },\n \"valid\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"created\": {\n \"type\": \"date\"\n },\n \"ctime\": {\n \"type\": \"date\"\n },\n \"device\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"directory\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"drive_letter\": {\n \"ignore_above\": 1,\n \"type\": \"keyword\"\n },\n \"elf\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"byte_order\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cpu_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"creation_date\": {\n \"type\": \"date\"\n },\n \"exports\": {\n \"type\": \"flattened\"\n },\n \"header\": {\n \"type\": \"object\",\n \"properties\": {\n \"abi_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"entrypoint\": {\n \"type\": \"long\"\n },\n \"object_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"os_abi\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"imports\": {\n \"type\": \"flattened\"\n },\n \"sections\": {\n \"type\": \"nested\",\n \"properties\": {\n \"chi2\": {\n \"type\": \"long\"\n },\n \"entropy\": {\n \"type\": \"long\"\n },\n \"flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"physical_offset\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"physical_size\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virtual_address\": {\n \"type\": \"long\"\n },\n \"virtual_size\": {\n \"type\": \"long\"\n }\n }\n },\n \"segments\": {\n \"type\": \"nested\",\n \"properties\": {\n \"sections\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"shared_libraries\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"telfhash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"extension\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fork_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"gid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hash\": {\n \"type\": \"object\",\n \"properties\": {\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha512\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssdeep\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"inode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mime_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mtime\": {\n \"type\": \"date\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"owner\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"pe\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"company\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"imphash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"original_file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"size\": {\n \"type\": \"long\"\n },\n \"target_path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"x509\": {\n \"type\": \"object\",\n \"properties\": {\n \"alternative_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"not_after\": {\n \"type\": \"date\"\n },\n \"not_before\": {\n \"type\": \"date\"\n },\n \"public_key_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_curve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_exponent\": {\n \"index\": false,\n \"type\": \"long\",\n \"doc_values\": false\n },\n \"public_key_size\": {\n \"type\": \"long\"\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"version_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"first_seen\": {\n \"type\": \"date\"\n },\n \"geo\": {\n \"type\": \"object\",\n \"properties\": {\n \"city_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"location\": {\n \"type\": \"geo_point\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"postal_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"last_seen\": {\n \"type\": \"date\"\n },\n \"marking\": {\n \"type\": \"object\",\n \"properties\": {\n \"tlp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"modified_at\": {\n \"type\": \"date\"\n },\n \"port\": {\n \"type\": \"long\"\n },\n \"provider\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"registry\": {\n \"type\": \"object\",\n \"properties\": {\n \"data\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"strings\": {\n \"type\": \"wildcard\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hive\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"scanner_stats\": {\n \"type\": \"long\"\n },\n \"sightings\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"url\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extension\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fragment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full\": {\n \"type\": \"wildcard\"\n },\n \"original\": {\n \"type\": \"wildcard\"\n },\n \"password\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"type\": \"wildcard\"\n },\n \"port\": {\n \"type\": \"long\"\n },\n \"query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"registered_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scheme\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subdomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"top_level_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"x509\": {\n \"type\": \"object\",\n \"properties\": {\n \"alternative_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"not_after\": {\n \"type\": \"date\"\n },\n \"not_before\": {\n \"type\": \"date\"\n },\n \"public_key_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_curve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_exponent\": {\n \"index\": false,\n \"type\": \"long\",\n \"doc_values\": false\n },\n \"public_key_size\": {\n \"type\": \"long\"\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"version_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"matched\": {\n \"type\": \"object\",\n \"properties\": {\n \"atomic\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"field\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"index\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"framework\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"alias\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"indicator\": {\n \"type\": \"object\",\n \"properties\": {\n \"as\": {\n \"type\": \"object\",\n \"properties\": {\n \"number\": {\n \"type\": \"long\"\n },\n \"organization\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n }\n }\n }\n }\n },\n \"confidence\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"accessed\": {\n \"type\": \"date\"\n },\n \"attributes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"code_signature\": {\n \"type\": \"object\",\n \"properties\": {\n \"digest_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"exists\": {\n \"type\": \"boolean\"\n },\n \"signing_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"team_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n },\n \"trusted\": {\n \"type\": \"boolean\"\n },\n \"valid\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"created\": {\n \"type\": \"date\"\n },\n \"ctime\": {\n \"type\": \"date\"\n },\n \"device\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"directory\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"drive_letter\": {\n \"ignore_above\": 1,\n \"type\": \"keyword\"\n },\n \"elf\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"byte_order\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cpu_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"creation_date\": {\n \"type\": \"date\"\n },\n \"exports\": {\n \"type\": \"flattened\"\n },\n \"header\": {\n \"type\": \"object\",\n \"properties\": {\n \"abi_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"class\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"data\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"entrypoint\": {\n \"type\": \"long\"\n },\n \"object_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"os_abi\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"imports\": {\n \"type\": \"flattened\"\n },\n \"sections\": {\n \"type\": \"nested\",\n \"properties\": {\n \"chi2\": {\n \"type\": \"long\"\n },\n \"entropy\": {\n \"type\": \"long\"\n },\n \"flags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"physical_offset\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"physical_size\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"virtual_address\": {\n \"type\": \"long\"\n },\n \"virtual_size\": {\n \"type\": \"long\"\n }\n }\n },\n \"segments\": {\n \"type\": \"nested\",\n \"properties\": {\n \"sections\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"shared_libraries\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"telfhash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"extension\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fork_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"gid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"group\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hash\": {\n \"type\": \"object\",\n \"properties\": {\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha512\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssdeep\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"inode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mime_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mtime\": {\n \"type\": \"date\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"owner\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"pe\": {\n \"type\": \"object\",\n \"properties\": {\n \"architecture\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"company\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"imphash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"original_file_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"product\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"size\": {\n \"type\": \"long\"\n },\n \"target_path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"x509\": {\n \"type\": \"object\",\n \"properties\": {\n \"alternative_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"not_after\": {\n \"type\": \"date\"\n },\n \"not_before\": {\n \"type\": \"date\"\n },\n \"public_key_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_curve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_exponent\": {\n \"index\": false,\n \"type\": \"long\",\n \"doc_values\": false\n },\n \"public_key_size\": {\n \"type\": \"long\"\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"version_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"first_seen\": {\n \"type\": \"date\"\n },\n \"geo\": {\n \"type\": \"object\",\n \"properties\": {\n \"city_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"continent_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"location\": {\n \"type\": \"geo_point\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"postal_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_iso_code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"region_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"last_seen\": {\n \"type\": \"date\"\n },\n \"marking\": {\n \"type\": \"object\",\n \"properties\": {\n \"tlp\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"modified_at\": {\n \"type\": \"date\"\n },\n \"port\": {\n \"type\": \"long\"\n },\n \"provider\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"registry\": {\n \"type\": \"object\",\n \"properties\": {\n \"data\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"strings\": {\n \"type\": \"wildcard\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hive\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"scanner_stats\": {\n \"type\": \"long\"\n },\n \"sightings\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"url\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extension\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fragment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full\": {\n \"type\": \"wildcard\"\n },\n \"original\": {\n \"type\": \"wildcard\"\n },\n \"password\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"type\": \"wildcard\"\n },\n \"port\": {\n \"type\": \"long\"\n },\n \"query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"registered_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scheme\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subdomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"top_level_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"x509\": {\n \"type\": \"object\",\n \"properties\": {\n \"alternative_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"not_after\": {\n \"type\": \"date\"\n },\n \"not_before\": {\n \"type\": \"date\"\n },\n \"public_key_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_curve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_exponent\": {\n \"index\": false,\n \"type\": \"long\",\n \"doc_values\": false\n },\n \"public_key_size\": {\n \"type\": \"long\"\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"version_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"software\": {\n \"type\": \"object\",\n \"properties\": {\n \"alias\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"platforms\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"tactic\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"technique\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subtechnique\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n },\n \"timeseries\": {\n \"type\": \"object\",\n \"properties\": {\n \"instance\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"tls\": {\n \"type\": \"object\",\n \"properties\": {\n \"cipher\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client\": {\n \"type\": \"object\",\n \"properties\": {\n \"certificate\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"certificate_chain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hash\": {\n \"type\": \"object\",\n \"properties\": {\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"issuer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ja3\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"not_after\": {\n \"type\": \"date\"\n },\n \"not_before\": {\n \"type\": \"date\"\n },\n \"server_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"supported_ciphers\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"x509\": {\n \"type\": \"object\",\n \"properties\": {\n \"alternative_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"not_after\": {\n \"type\": \"date\"\n },\n \"not_before\": {\n \"type\": \"date\"\n },\n \"public_key_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_curve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_exponent\": {\n \"index\": false,\n \"type\": \"long\",\n \"doc_values\": false\n },\n \"public_key_size\": {\n \"type\": \"long\"\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"version_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"curve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"established\": {\n \"type\": \"boolean\"\n },\n \"next_protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resumed\": {\n \"type\": \"boolean\"\n },\n \"server\": {\n \"type\": \"object\",\n \"properties\": {\n \"certificate\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"certificate_chain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hash\": {\n \"type\": \"object\",\n \"properties\": {\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"issuer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ja3s\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"not_after\": {\n \"type\": \"date\"\n },\n \"not_before\": {\n \"type\": \"date\"\n },\n \"subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"x509\": {\n \"type\": \"object\",\n \"properties\": {\n \"alternative_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"not_after\": {\n \"type\": \"date\"\n },\n \"not_before\": {\n \"type\": \"date\"\n },\n \"public_key_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_curve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_exponent\": {\n \"index\": false,\n \"type\": \"long\",\n \"doc_values\": false\n },\n \"public_key_size\": {\n \"type\": \"long\"\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"version_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version_protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"trace\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"traefik\": {\n \"type\": \"object\",\n \"properties\": {\n \"access\": {\n \"type\": \"object\",\n \"properties\": {\n \"backend_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"frontend_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"geoip\": {\n \"type\": \"object\",\n \"properties\": {\n \"city_name\": {\n \"path\": \"source.geo.city_name\",\n \"type\": \"alias\"\n },\n \"continent_name\": {\n \"path\": \"source.geo.continent_name\",\n \"type\": \"alias\"\n },\n \"country_iso_code\": {\n \"path\": \"source.geo.country_iso_code\",\n \"type\": \"alias\"\n },\n \"location\": {\n \"path\": \"source.geo.location\",\n \"type\": \"alias\"\n },\n \"region_iso_code\": {\n \"path\": \"source.geo.region_iso_code\",\n \"type\": \"alias\"\n },\n \"region_name\": {\n \"path\": \"source.geo.region_name\",\n \"type\": \"alias\"\n }\n }\n },\n \"request_count\": {\n \"type\": \"long\"\n },\n \"user_agent\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"path\": \"user_agent.name\",\n \"type\": \"alias\"\n },\n \"original\": {\n \"path\": \"user_agent.original\",\n \"type\": \"alias\"\n },\n \"os\": {\n \"path\": \"user_agent.os.full_name\",\n \"type\": \"alias\"\n },\n \"os_name\": {\n \"path\": \"user_agent.os.name\",\n \"type\": \"alias\"\n }\n }\n },\n \"user_identifier\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"transaction\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"url\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extension\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fragment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full\": {\n \"type\": \"wildcard\"\n },\n \"original\": {\n \"type\": \"wildcard\"\n },\n \"password\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"type\": \"wildcard\"\n },\n \"port\": {\n \"type\": \"long\"\n },\n \"query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"registered_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scheme\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subdomain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"top_level_domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"user\": {\n \"type\": \"object\",\n \"properties\": {\n \"audit\": {\n \"type\": \"object\",\n \"properties\": {\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"changes\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"roles\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"effective\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"roles\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"filesystem\": {\n \"type\": \"object\",\n \"properties\": {\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"full_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"owner\": {\n \"type\": \"object\",\n \"properties\": {\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"roles\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"saved\": {\n \"type\": \"object\",\n \"properties\": {\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"target\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"group\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"hash\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"roles\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"terminal\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"user_agent\": {\n \"type\": \"object\",\n \"properties\": {\n \"device\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"original\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"os\": {\n \"type\": \"object\",\n \"properties\": {\n \"family\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"full\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"full_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"kernel\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"platform\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"vlan\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"vulnerability\": {\n \"type\": \"object\",\n \"properties\": {\n \"category\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"classification\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"description\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"match_only_text\"\n }\n }\n },\n \"enumeration\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reference\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"report_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"scanner\": {\n \"type\": \"object\",\n \"properties\": {\n \"vendor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"score\": {\n \"type\": \"object\",\n \"properties\": {\n \"base\": {\n \"type\": \"float\"\n },\n \"environmental\": {\n \"type\": \"float\"\n },\n \"temporal\": {\n \"type\": \"float\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"x509\": {\n \"type\": \"object\",\n \"properties\": {\n \"alternative_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"not_after\": {\n \"type\": \"date\"\n },\n \"not_before\": {\n \"type\": \"date\"\n },\n \"public_key_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_curve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"public_key_exponent\": {\n \"index\": false,\n \"type\": \"long\",\n \"doc_values\": false\n },\n \"public_key_size\": {\n \"type\": \"long\"\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"distinguished_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_or_province\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"version_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"zeek\": {\n \"type\": \"object\",\n \"properties\": {\n \"capture_loss\": {\n \"type\": \"object\",\n \"properties\": {\n \"acks\": {\n \"type\": \"long\"\n },\n \"gaps\": {\n \"type\": \"long\"\n },\n \"peer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"percent_lost\": {\n \"type\": \"double\"\n },\n \"ts_delta\": {\n \"type\": \"long\"\n }\n }\n },\n \"connection\": {\n \"type\": \"object\",\n \"properties\": {\n \"history\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmp\": {\n \"type\": \"object\",\n \"properties\": {\n \"code\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"type\": \"long\"\n }\n }\n },\n \"inner_vlan\": {\n \"type\": \"long\"\n },\n \"local_orig\": {\n \"type\": \"boolean\"\n },\n \"local_resp\": {\n \"type\": \"boolean\"\n },\n \"missed_bytes\": {\n \"type\": \"long\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state_message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"vlan\": {\n \"type\": \"long\"\n }\n }\n },\n \"dce_rpc\": {\n \"type\": \"object\",\n \"properties\": {\n \"endpoint\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"named_pipe\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operation\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rtt\": {\n \"type\": \"long\"\n }\n }\n },\n \"dhcp\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"type\": \"object\",\n \"properties\": {\n \"assigned\": {\n \"type\": \"ip\"\n },\n \"client\": {\n \"type\": \"ip\"\n },\n \"mac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"requested\": {\n \"type\": \"ip\"\n },\n \"server\": {\n \"type\": \"ip\"\n }\n }\n },\n \"client_fqdn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"duration\": {\n \"type\": \"double\"\n },\n \"hostname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"type\": \"object\",\n \"properties\": {\n \"circuit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"remote_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subscriber\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"lease_time\": {\n \"type\": \"long\"\n },\n \"msg\": {\n \"type\": \"object\",\n \"properties\": {\n \"client\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"origin\": {\n \"type\": \"ip\"\n },\n \"server\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"types\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"software\": {\n \"type\": \"object\",\n \"properties\": {\n \"client\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"server\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"dnp3\": {\n \"type\": \"object\",\n \"properties\": {\n \"function\": {\n \"type\": \"object\",\n \"properties\": {\n \"reply\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"id\": {\n \"type\": \"long\"\n }\n }\n },\n \"dns\": {\n \"type\": \"object\",\n \"properties\": {\n \"AA\": {\n \"type\": \"boolean\"\n },\n \"RA\": {\n \"type\": \"boolean\"\n },\n \"RD\": {\n \"type\": \"boolean\"\n },\n \"TC\": {\n \"type\": \"boolean\"\n },\n \"TTLs\": {\n \"type\": \"double\"\n },\n \"answers\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"qclass\": {\n \"type\": \"long\"\n },\n \"qclass_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"qtype\": {\n \"type\": \"long\"\n },\n \"qtype_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"query\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rcode\": {\n \"type\": \"long\"\n },\n \"rcode_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rejected\": {\n \"type\": \"boolean\"\n },\n \"rtt\": {\n \"type\": \"double\"\n },\n \"saw_query\": {\n \"type\": \"boolean\"\n },\n \"saw_reply\": {\n \"type\": \"boolean\"\n },\n \"total_answers\": {\n \"type\": \"long\"\n },\n \"total_replies\": {\n \"type\": \"long\"\n },\n \"trans_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"dpd\": {\n \"type\": \"object\",\n \"properties\": {\n \"analyzer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"failure_reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"packet_segment\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"files\": {\n \"type\": \"object\",\n \"properties\": {\n \"analyzers\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"depth\": {\n \"type\": \"long\"\n },\n \"duration\": {\n \"type\": \"double\"\n },\n \"entropy\": {\n \"type\": \"double\"\n },\n \"extracted\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extracted_cutoff\": {\n \"type\": \"boolean\"\n },\n \"extracted_size\": {\n \"type\": \"long\"\n },\n \"filename\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"is_orig\": {\n \"type\": \"boolean\"\n },\n \"local_orig\": {\n \"type\": \"boolean\"\n },\n \"md5\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mime_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"missing_bytes\": {\n \"type\": \"long\"\n },\n \"overflow_bytes\": {\n \"type\": \"long\"\n },\n \"parent_fuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rx_host\": {\n \"type\": \"ip\"\n },\n \"seen_bytes\": {\n \"type\": \"long\"\n },\n \"session_ids\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha1\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sha256\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timedout\": {\n \"type\": \"boolean\"\n },\n \"total_bytes\": {\n \"type\": \"long\"\n },\n \"tx_host\": {\n \"type\": \"ip\"\n }\n }\n },\n \"ftp\": {\n \"type\": \"object\",\n \"properties\": {\n \"arg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"capture_password\": {\n \"type\": \"boolean\"\n },\n \"cmdarg\": {\n \"type\": \"object\",\n \"properties\": {\n \"arg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cmd\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"seq\": {\n \"type\": \"long\"\n }\n }\n },\n \"command\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cwd\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"data_channel\": {\n \"type\": \"object\",\n \"properties\": {\n \"originating_host\": {\n \"type\": \"ip\"\n },\n \"passive\": {\n \"type\": \"boolean\"\n },\n \"response_host\": {\n \"type\": \"ip\"\n },\n \"response_port\": {\n \"type\": \"long\"\n }\n }\n },\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"fuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mime_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"size\": {\n \"type\": \"long\"\n }\n }\n },\n \"last_auth_requested\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"passive\": {\n \"type\": \"boolean\"\n },\n \"password\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pending_commands\": {\n \"type\": \"long\"\n },\n \"reply\": {\n \"type\": \"object\",\n \"properties\": {\n \"code\": {\n \"type\": \"long\"\n },\n \"msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"http\": {\n \"type\": \"object\",\n \"properties\": {\n \"captured_password\": {\n \"type\": \"boolean\"\n },\n \"client_header_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"info_code\": {\n \"type\": \"long\"\n },\n \"info_msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"orig_filenames\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"orig_fuids\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"orig_mime_depth\": {\n \"type\": \"long\"\n },\n \"orig_mime_types\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"password\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"proxied\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"range_request\": {\n \"type\": \"boolean\"\n },\n \"resp_filenames\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resp_fuids\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resp_mime_depth\": {\n \"type\": \"long\"\n },\n \"resp_mime_types\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"server_header_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status_msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tags\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"trans_depth\": {\n \"type\": \"long\"\n }\n }\n },\n \"intel\": {\n \"type\": \"object\",\n \"properties\": {\n \"file_desc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_mime_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"matched\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"seen\": {\n \"type\": \"object\",\n \"properties\": {\n \"conn\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"f\": {\n \"type\": \"object\"\n },\n \"fuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"indicator\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"indicator_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"node\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"where\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"sources\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"irc\": {\n \"type\": \"object\",\n \"properties\": {\n \"addl\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"command\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dcc\": {\n \"type\": \"object\",\n \"properties\": {\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"size\": {\n \"type\": \"long\"\n }\n }\n },\n \"mime_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"fuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"nick\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"kerberos\": {\n \"type\": \"object\",\n \"properties\": {\n \"cert\": {\n \"type\": \"object\",\n \"properties\": {\n \"client\": {\n \"type\": \"object\",\n \"properties\": {\n \"fuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"server\": {\n \"type\": \"object\",\n \"properties\": {\n \"fuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"value\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"cipher\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"error\": {\n \"type\": \"object\",\n \"properties\": {\n \"code\": {\n \"type\": \"long\"\n },\n \"msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"forwardable\": {\n \"type\": \"boolean\"\n },\n \"renewable\": {\n \"type\": \"boolean\"\n },\n \"request_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"success\": {\n \"type\": \"boolean\"\n },\n \"ticket\": {\n \"type\": \"object\",\n \"properties\": {\n \"auth\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"new\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"valid\": {\n \"type\": \"object\",\n \"properties\": {\n \"days\": {\n \"type\": \"long\"\n },\n \"from\": {\n \"type\": \"date\"\n },\n \"until\": {\n \"type\": \"date\"\n }\n }\n }\n }\n },\n \"modbus\": {\n \"type\": \"object\",\n \"properties\": {\n \"exception\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"function\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"track_address\": {\n \"type\": \"long\"\n }\n }\n },\n \"mysql\": {\n \"type\": \"object\",\n \"properties\": {\n \"arg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cmd\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"response\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"rows\": {\n \"type\": \"long\"\n },\n \"success\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"notice\": {\n \"type\": \"object\",\n \"properties\": {\n \"actions\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"connection_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dropped\": {\n \"type\": \"boolean\"\n },\n \"email_body_sections\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"email_delay_tokens\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"false\": {\n \"type\": \"long\"\n },\n \"ffile\": {\n \"type\": \"object\",\n \"properties\": {\n \"total_bytes\": {\n \"type\": \"long\"\n }\n }\n },\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"is_orig\": {\n \"type\": \"boolean\"\n },\n \"mime_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"missing_bytes\": {\n \"type\": \"long\"\n },\n \"overflow_bytes\": {\n \"type\": \"long\"\n },\n \"parent_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"seen_bytes\": {\n \"type\": \"long\"\n },\n \"source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"fuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"icmp_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identifier\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"note\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"peer_descr\": {\n \"norms\": false,\n \"type\": \"text\"\n },\n \"peer_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sub\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"suppress_for\": {\n \"type\": \"double\"\n }\n }\n },\n \"ntlm\": {\n \"type\": \"object\",\n \"properties\": {\n \"domain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hostname\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"server\": {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\n \"type\": \"object\",\n \"properties\": {\n \"dns\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"netbios\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tree\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"success\": {\n \"type\": \"boolean\"\n },\n \"username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"ntp\": {\n \"type\": \"object\",\n \"properties\": {\n \"mode\": {\n \"type\": \"long\"\n },\n \"num_exts\": {\n \"type\": \"long\"\n },\n \"org_time\": {\n \"type\": \"date\"\n },\n \"poll\": {\n \"type\": \"double\"\n },\n \"precision\": {\n \"type\": \"double\"\n },\n \"rec_time\": {\n \"type\": \"date\"\n },\n \"ref_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ref_time\": {\n \"type\": \"date\"\n },\n \"root_delay\": {\n \"type\": \"double\"\n },\n \"root_disp\": {\n \"type\": \"double\"\n },\n \"stratum\": {\n \"type\": \"long\"\n },\n \"version\": {\n \"type\": \"long\"\n },\n \"xmt_time\": {\n \"type\": \"date\"\n }\n }\n },\n \"ocsp\": {\n \"type\": \"object\",\n \"properties\": {\n \"file_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"hash\": {\n \"type\": \"object\",\n \"properties\": {\n \"algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"revoke\": {\n \"type\": \"object\",\n \"properties\": {\n \"reason\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"time\": {\n \"type\": \"date\"\n }\n }\n },\n \"serial_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"update\": {\n \"type\": \"object\",\n \"properties\": {\n \"next\": {\n \"type\": \"date\"\n },\n \"this\": {\n \"type\": \"date\"\n }\n }\n }\n }\n },\n \"pe\": {\n \"type\": \"object\",\n \"properties\": {\n \"client\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"compile_time\": {\n \"type\": \"date\"\n },\n \"has_cert_table\": {\n \"type\": \"boolean\"\n },\n \"has_debug_data\": {\n \"type\": \"boolean\"\n },\n \"has_export_table\": {\n \"type\": \"boolean\"\n },\n \"has_import_table\": {\n \"type\": \"boolean\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"is_64bit\": {\n \"type\": \"boolean\"\n },\n \"is_exe\": {\n \"type\": \"boolean\"\n },\n \"machine\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"os\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"section_names\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subsystem\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uses_aslr\": {\n \"type\": \"boolean\"\n },\n \"uses_code_integrity\": {\n \"type\": \"boolean\"\n },\n \"uses_dep\": {\n \"type\": \"boolean\"\n },\n \"uses_seh\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"radius\": {\n \"type\": \"object\",\n \"properties\": {\n \"connect_info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"framed_addr\": {\n \"type\": \"ip\"\n },\n \"logged\": {\n \"type\": \"boolean\"\n },\n \"mac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"remote_ip\": {\n \"type\": \"ip\"\n },\n \"reply_msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ttl\": {\n \"type\": \"long\"\n },\n \"username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"rdp\": {\n \"type\": \"object\",\n \"properties\": {\n \"cert\": {\n \"type\": \"object\",\n \"properties\": {\n \"count\": {\n \"type\": \"long\"\n },\n \"permanent\": {\n \"type\": \"boolean\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"client\": {\n \"type\": \"object\",\n \"properties\": {\n \"build\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"product_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"cookie\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"desktop\": {\n \"type\": \"object\",\n \"properties\": {\n \"color_depth\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"height\": {\n \"type\": \"long\"\n },\n \"width\": {\n \"type\": \"long\"\n }\n }\n },\n \"done\": {\n \"type\": \"boolean\"\n },\n \"encryption\": {\n \"type\": \"object\",\n \"properties\": {\n \"level\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"keyboard_layout\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"security_protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ssl\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"rfb\": {\n \"type\": \"object\",\n \"properties\": {\n \"auth\": {\n \"type\": \"object\",\n \"properties\": {\n \"method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"success\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"desktop_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"height\": {\n \"type\": \"long\"\n },\n \"share_flag\": {\n \"type\": \"boolean\"\n },\n \"version\": {\n \"type\": \"object\",\n \"properties\": {\n \"client\": {\n \"type\": \"object\",\n \"properties\": {\n \"major\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"minor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"server\": {\n \"type\": \"object\",\n \"properties\": {\n \"major\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"minor\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"width\": {\n \"type\": \"long\"\n }\n }\n },\n \"session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature\": {\n \"type\": \"object\",\n \"properties\": {\n \"event_msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host_count\": {\n \"type\": \"long\"\n },\n \"note\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sig_count\": {\n \"type\": \"long\"\n },\n \"sig_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sub_msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"sip\": {\n \"type\": \"object\",\n \"properties\": {\n \"call_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"content_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"date\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reply_to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request\": {\n \"type\": \"object\",\n \"properties\": {\n \"body_length\": {\n \"type\": \"long\"\n },\n \"from\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"response\": {\n \"type\": \"object\",\n \"properties\": {\n \"body_length\": {\n \"type\": \"long\"\n },\n \"from\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"sequence\": {\n \"type\": \"object\",\n \"properties\": {\n \"method\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"status\": {\n \"type\": \"object\",\n \"properties\": {\n \"code\": {\n \"type\": \"long\"\n },\n \"msg\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"transaction_depth\": {\n \"type\": \"long\"\n },\n \"uri\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"warning\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"smb_cmd\": {\n \"type\": \"object\",\n \"properties\": {\n \"argument\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"command\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host\": {\n \"type\": \"object\",\n \"properties\": {\n \"rx\": {\n \"type\": \"ip\"\n },\n \"tx\": {\n \"type\": \"ip\"\n }\n }\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"rtt\": {\n \"type\": \"double\"\n },\n \"smb1_offered_dialects\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"smb2_offered_dialects\": {\n \"type\": \"long\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"sub_command\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tree\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tree_service\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"username\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"smb_files\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fid\": {\n \"type\": \"long\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"previous_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"size\": {\n \"type\": \"long\"\n },\n \"times\": {\n \"type\": \"object\",\n \"properties\": {\n \"accessed\": {\n \"type\": \"date\"\n },\n \"changed\": {\n \"type\": \"date\"\n },\n \"created\": {\n \"type\": \"date\"\n },\n \"modified\": {\n \"type\": \"date\"\n }\n }\n },\n \"uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"smb_mapping\": {\n \"type\": \"object\",\n \"properties\": {\n \"native_file_system\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"service\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"share_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"smtp\": {\n \"type\": \"object\",\n \"properties\": {\n \"cc\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"date\": {\n \"type\": \"date\"\n },\n \"first_received\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"from\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"fuids\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"has_client_activity\": {\n \"type\": \"boolean\"\n },\n \"helo\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"in_reply_to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"is_webmail\": {\n \"type\": \"boolean\"\n },\n \"last_reply\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mail_from\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"msg_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"path\": {\n \"type\": \"ip\"\n },\n \"process_received_from\": {\n \"type\": \"boolean\"\n },\n \"rcpt_to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reply_to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"second_received\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"tls\": {\n \"type\": \"boolean\"\n },\n \"to\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"transaction_depth\": {\n \"type\": \"long\"\n },\n \"user_agent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"x_originating_ip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"snmp\": {\n \"type\": \"object\",\n \"properties\": {\n \"community\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"display_string\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"duration\": {\n \"type\": \"double\"\n },\n \"get\": {\n \"type\": \"object\",\n \"properties\": {\n \"bulk_requests\": {\n \"type\": \"long\"\n },\n \"requests\": {\n \"type\": \"long\"\n },\n \"responses\": {\n \"type\": \"long\"\n }\n }\n },\n \"set\": {\n \"type\": \"object\",\n \"properties\": {\n \"requests\": {\n \"type\": \"long\"\n }\n }\n },\n \"up_since\": {\n \"type\": \"date\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"socks\": {\n \"type\": \"object\",\n \"properties\": {\n \"bound\": {\n \"type\": \"object\",\n \"properties\": {\n \"host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"port\": {\n \"type\": \"long\"\n }\n }\n },\n \"capture_password\": {\n \"type\": \"boolean\"\n },\n \"password\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"request\": {\n \"type\": \"object\",\n \"properties\": {\n \"host\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"port\": {\n \"type\": \"long\"\n }\n }\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"type\": \"long\"\n }\n }\n },\n \"ssh\": {\n \"type\": \"object\",\n \"properties\": {\n \"algorithm\": {\n \"type\": \"object\",\n \"properties\": {\n \"cipher\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"compression\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host_key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"key_exchange\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"mac\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"auth\": {\n \"type\": \"object\",\n \"properties\": {\n \"attempts\": {\n \"type\": \"long\"\n },\n \"success\": {\n \"type\": \"boolean\"\n }\n }\n },\n \"client\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"direction\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host_key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"server\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"type\": \"long\"\n }\n }\n },\n \"ssl\": {\n \"type\": \"object\",\n \"properties\": {\n \"cipher\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"client\": {\n \"type\": \"object\",\n \"properties\": {\n \"cert_chain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_chain_fuids\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"subject\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"curve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"established\": {\n \"type\": \"boolean\"\n },\n \"last_alert\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"next_protocol\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resumed\": {\n \"type\": \"boolean\"\n },\n \"server\": {\n \"type\": \"object\",\n \"properties\": {\n \"cert_chain\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"cert_chain_fuids\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"validation\": {\n \"type\": \"object\",\n \"properties\": {\n \"code\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"stats\": {\n \"type\": \"object\",\n \"properties\": {\n \"bytes\": {\n \"type\": \"object\",\n \"properties\": {\n \"received\": {\n \"type\": \"long\"\n }\n }\n },\n \"connections\": {\n \"type\": \"object\",\n \"properties\": {\n \"icmp\": {\n \"type\": \"object\",\n \"properties\": {\n \"active\": {\n \"type\": \"long\"\n },\n \"count\": {\n \"type\": \"long\"\n }\n }\n },\n \"tcp\": {\n \"type\": \"object\",\n \"properties\": {\n \"active\": {\n \"type\": \"long\"\n },\n \"count\": {\n \"type\": \"long\"\n }\n }\n },\n \"udp\": {\n \"type\": \"object\",\n \"properties\": {\n \"active\": {\n \"type\": \"long\"\n },\n \"count\": {\n \"type\": \"long\"\n }\n }\n }\n }\n },\n \"dns_requests\": {\n \"type\": \"object\",\n \"properties\": {\n \"active\": {\n \"type\": \"long\"\n },\n \"count\": {\n \"type\": \"long\"\n }\n }\n },\n \"events\": {\n \"type\": \"object\",\n \"properties\": {\n \"processed\": {\n \"type\": \"long\"\n },\n \"queued\": {\n \"type\": \"long\"\n }\n }\n },\n \"files\": {\n \"type\": \"object\",\n \"properties\": {\n \"active\": {\n \"type\": \"long\"\n },\n \"count\": {\n \"type\": \"long\"\n }\n }\n },\n \"memory\": {\n \"type\": \"long\"\n },\n \"packets\": {\n \"type\": \"object\",\n \"properties\": {\n \"dropped\": {\n \"type\": \"long\"\n },\n \"processed\": {\n \"type\": \"long\"\n },\n \"received\": {\n \"type\": \"long\"\n }\n }\n },\n \"peer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"reassembly_size\": {\n \"type\": \"object\",\n \"properties\": {\n \"file\": {\n \"type\": \"long\"\n },\n \"frag\": {\n \"type\": \"long\"\n },\n \"tcp\": {\n \"type\": \"long\"\n },\n \"unknown\": {\n \"type\": \"long\"\n }\n }\n },\n \"timers\": {\n \"type\": \"object\",\n \"properties\": {\n \"active\": {\n \"type\": \"long\"\n },\n \"count\": {\n \"type\": \"long\"\n }\n }\n },\n \"timestamp_lag\": {\n \"type\": \"long\"\n }\n }\n },\n \"syslog\": {\n \"type\": \"object\",\n \"properties\": {\n \"facility\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"severity\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"tunnel\": {\n \"type\": \"object\",\n \"properties\": {\n \"action\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"weird\": {\n \"type\": \"object\",\n \"properties\": {\n \"additional_info\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"identifier\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"notice\": {\n \"type\": \"boolean\"\n },\n \"peer\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"x509\": {\n \"type\": \"object\",\n \"properties\": {\n \"basic_constraints\": {\n \"type\": \"object\",\n \"properties\": {\n \"certificate_authority\": {\n \"type\": \"boolean\"\n },\n \"path_length\": {\n \"type\": \"long\"\n }\n }\n },\n \"certificate\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"curve\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"exponent\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issuer\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"key\": {\n \"type\": \"object\",\n \"properties\": {\n \"algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"length\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"serial\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"signature_algorithm\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"subject\": {\n \"type\": \"object\",\n \"properties\": {\n \"common_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"locality\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organization\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"organizational_unit\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"valid\": {\n \"type\": \"object\",\n \"properties\": {\n \"from\": {\n \"type\": \"date\"\n },\n \"until\": {\n \"type\": \"date\"\n }\n }\n },\n \"version\": {\n \"type\": \"long\"\n }\n }\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"log_cert\": {\n \"type\": \"boolean\"\n },\n \"san\": {\n \"type\": \"object\",\n \"properties\": {\n \"dns\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ip\": {\n \"type\": \"ip\"\n },\n \"other_fields\": {\n \"type\": \"boolean\"\n },\n \"uri\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n },\n \"zookeeper\": {\n \"type\": \"object\",\n \"properties\": {\n \"audit\": {\n \"type\": \"object\",\n \"properties\": {\n \"acl\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"result\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"znode\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"znode_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"zoom\": {\n \"type\": \"object\",\n \"properties\": {\n \"account\": {\n \"type\": \"object\",\n \"properties\": {\n \"account_alias\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"account_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"account_support_email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"account_support_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"owner_email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"owner_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"account_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"chat_channel\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"chat_message\": {\n \"type\": \"object\",\n \"properties\": {\n \"channel_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"channel_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"contact_email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"contact_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"message\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"session_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"creation_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"master_account_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"meeting\": {\n \"type\": \"object\",\n \"properties\": {\n \"duration\": {\n \"type\": \"long\"\n },\n \"host_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issues\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"password\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"start_time\": {\n \"type\": \"date\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"topic\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"old_values\": {\n \"type\": \"flattened\"\n },\n \"operator\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"operator_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"participant\": {\n \"type\": \"object\",\n \"properties\": {\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"join_time\": {\n \"type\": \"date\"\n },\n \"leave_time\": {\n \"type\": \"date\"\n },\n \"sharing_details\": {\n \"type\": \"object\",\n \"properties\": {\n \"content\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"date_time\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"file_link\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"link_source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"source\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"user_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"phone\": {\n \"type\": \"object\",\n \"properties\": {\n \"answer_start_time\": {\n \"type\": \"date\"\n },\n \"call_end_time\": {\n \"type\": \"date\"\n },\n \"call_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"callee\": {\n \"type\": \"object\",\n \"properties\": {\n \"device_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extension_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extension_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"number_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"phone_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"caller\": {\n \"type\": \"object\",\n \"properties\": {\n \"device_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extension_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"extension_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"number_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"phone_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"user_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"connected_start_time\": {\n \"type\": \"date\"\n },\n \"date_time\": {\n \"type\": \"date\"\n },\n \"download_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"duration\": {\n \"type\": \"long\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"ringing_start_time\": {\n \"type\": \"date\"\n },\n \"user_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"recording\": {\n \"type\": \"object\",\n \"properties\": {\n \"duration\": {\n \"type\": \"long\"\n },\n \"host_email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"recording_count\": {\n \"type\": \"long\"\n },\n \"recording_file\": {\n \"type\": \"object\",\n \"properties\": {\n \"recording_end\": {\n \"type\": \"date\"\n },\n \"recording_start\": {\n \"type\": \"date\"\n }\n }\n },\n \"share_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"start_time\": {\n \"type\": \"date\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"topic\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"total_size\": {\n \"type\": \"long\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"registrant\": {\n \"type\": \"object\",\n \"properties\": {\n \"address\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"city\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"comments\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"first_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"industry\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"job_title\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"join_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"last_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"no_of_employees\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"org\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"phone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"purchasing_time_frame\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"role_in_purchase_process\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"state\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"zip\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"settings\": {\n \"type\": \"flattened\"\n },\n \"sub_account_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timestamp\": {\n \"type\": \"date\"\n },\n \"user\": {\n \"type\": \"object\",\n \"properties\": {\n \"client_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"company\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"dept\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"first_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"host_key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"language\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"last_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"personal_notes\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"phone_country\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"phone_number\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pic_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"pmi\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"presence_status\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"role\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"use_pmi\": {\n \"type\": \"boolean\"\n },\n \"vanity_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"version\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"webinar\": {\n \"type\": \"object\",\n \"properties\": {\n \"agenda\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"duration\": {\n \"type\": \"long\"\n },\n \"host_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issues\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"join_url\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"password\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"start_time\": {\n \"type\": \"date\"\n },\n \"timezone\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"topic\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"uuid\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n },\n \"zoomroom\": {\n \"type\": \"object\",\n \"properties\": {\n \"alert_kind\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"alert_type\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"calendar_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"calendar_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"change_key\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"component\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"event_id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"id\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"issue\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"resource_email\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"room_name\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n },\n \"aliases\": {\n \"demo\": {}\n }\n },\n \"index_patterns\": [\n \"demo-*\"\n ]\n}\n<\/code><\/pre>\n\n\n\nUnder logistics, set the name of the index template, the index pattern, and toggle off<\/strong> the Create Data Stream<\/strong> button to DISABLE<\/strong> the creation of data stream.<\/p>\n\n\n\nAlso, ensure the priority number, if defined, does not match with the value of the index pattern being cloned.<\/p>\n\n\n\nOn Component templates<\/strong>, we will use default settings and just proceed to next page.<\/p>\n\n\n\nFor the Index Settings<\/strong>, we will only change the ILM policy<\/strong> and define the Index rollover alias. When you clone Filebeat index template, it will be configured to use the Filebeat ILM policy by default.<\/p>\n\n\n\nFor Mappings<\/strong> we will use default settings.<\/p>\n\n\n\nLet’s skip Index Aliases<\/strong>. As much as alias is required for policies that use the rollover action, we will create in the next section.<\/p>\n\n\n\nReview the template and create the template.<\/p>\n\n\n\n
Create the Index<\/h4>\n\n\n\n To begin using the custom index, you need to bootstrap it and designate it as the write index for the rollover alias specified in the index template. The name of this index must match the template\u2019s index pattern and end with a number. On rollover, this value is incremented to generate a name for the new index.<\/p>\n\n\n\n
To create the index, you can execute the API command below from Kibana console, (Kibana > Management > DevTools > Console<\/strong>)<\/p>\n\n\n\nPUT <index-pattern>\n{\n \"aliases\": {\n \"ALIAS_NAME\": {\n \"is_write_index\": true\n }\n }\n}\n<\/code><\/pre>\n\n\n\nFor example, in my setup, am creating an index pattern like demo-{now\/d}-00001<\/code><\/strong>. This is encoded as shown below;<\/p>\n\n\n\n\nPUT %3Cdemo-%7Bnow%2Fd%7D-000001%3E\n{\n \"aliases\": {\n \"demo\": {\n \"is_write_index\": true\n }\n }\n}\n<\/code><\/pre>\n\n\n\nSample output;<\/p>\n\n\n\n
\n{\n \"demo-2023.07.01-000001\": {\n \"aliases\": {\n \"demo\": {\n \"is_write_index\": true\n }\n }\n }\n}\n<\/code><\/pre>\n\n\n\nYou can also do this from command line as long as you have access to Elasticsearch;<\/p>\n\n\n\n
You should now be able to see your index created;<\/p>\n\n\n\nConfiguring Filebeat 8 to Write Logs to Specific Index<\/h3>\n\n\n\n Now that we have index template created and our custom index bootstrapped, how can you configure Filebeat to be able to write data the specific custom index?<\/p>\n\n\n\n
Open the Filebeat configuration file for editing;<\/p>\n\n\n\n
vim \/etc\/filebeat\/filebeat.yml<\/code><\/pre>\n\n\n\nDefine the index name<\/strong> and set the template<\/strong> and template pattern<\/strong> to match what you created under index templates above.<\/p>\n\n\n\nSee my config below;<\/p>\n\n\n\n
\n# ---------------------------- Elasticsearch Output ----------------------------\noutput.elasticsearch:\n hosts: [\"elk.kifarunix-demo.com:9200\"]\n protocol: \"https\"\n ssl.certificate_authorities: [\"\/etc\/filebeat\/elastic-ca.crt\"]\n index: demo\n<\/strong> username: \"elastic\"\n password: \"ALL16n6Xv5yJclrWt5Sc\"\n#\nsetup.template.name: \"demo\"\nsetup.template.pattern: \"demo-*\"<\/strong>\n<\/code><\/pre>\n\n\n\nSave and exit the file.<\/p>\n\n\n\n
Check Filebeat for any configuration syntax and ensure output is Config OK<\/strong>;<\/p>\n\n\n\nfilebeat test config<\/code><\/pre>\n\n\n\n(Re)start\/ Filebeat;<\/p>\n\n\n\n
systemctl restart filebeat<\/code><\/pre>\n\n\n\nVerify Data Reception on Custom Index<\/h4>\n\n\n\n Navigate to Index management > Indices and search for index pattern;<\/p>\n\n\n\nAs you can see, the size is now at 356kb, which means, data is being written to our index;<\/p>\n\n\n\n
If you keep watching it, the index should be rolled-over as per the ILM policy settings.<\/p>\n\n\n\nAs mentioned above, you can explain the ILM for the index;<\/p>\n\n\n\n
GET demo-*\/_ilm\/explain<\/code><\/pre>\n\n\n\n\n{\n \"indices\": {\n \"demo-2023.07.01-000001\": {\n \"index\": \"demo-2023.07.01-000001\",\n \"managed\": true,\n \"policy\": \"demo\",\n \"index_creation_date_millis\": 1688235705996,\n \"time_since_index_creation\": \"18.06m\",\n \"lifecycle_date_millis\": 1688236507512,\n \"age\": \"4.7m\",\n \"phase\": \"hot\",\n \"phase_time_millis\": 1688235706480,\n \"action\": \"complete\",\n \"action_time_millis\": 1688236508513,\n \"step\": \"complete\",\n \"step_time_millis\": 1688236508513,\n \"phase_execution\": {\n \"policy\": \"demo\",\n \"phase_definition\": {\n \"min_age\": \"0ms\",\n \"actions\": {\n \"set_priority\": {\n \"priority\": 100\n },\n \"rollover\": {\n \"max_age\": \"5m\",\n \"max_primary_shard_size\": \"2mb\"\n }\n }\n },\n \"version\": 1,\n \"modified_date_in_millis\": 1688231867049\n }\n },\n \"demo-2023.07.01-000002\": {\n \"index\": \"demo-2023.07.01-000002\",\n \"managed\": true,\n \"policy\": \"demo\",\n \"index_creation_date_millis\": 1688236507494,\n \"time_since_index_creation\": \"4.7m\",\n \"lifecycle_date_millis\": 1688236507494,\n \"age\": \"4.7m\",\n \"phase\": \"hot\",\n \"phase_time_millis\": 1688236507912,\n \"action\": \"rollover\",\n \"action_time_millis\": 1688236508313,\n \"step\": \"check-rollover-ready\",\n \"step_time_millis\": 1688236508313,\n \"phase_execution\": {\n \"policy\": \"demo\",\n \"phase_definition\": {\n \"min_age\": \"0ms\",\n \"actions\": {\n \"set_priority\": {\n \"priority\": 100\n },\n \"rollover\": {\n \"max_age\": \"5m\",\n \"max_primary_shard_size\": \"2mb\"\n }\n }\n },\n \"version\": 1,\n \"modified_date_in_millis\": 1688231867049\n }\n }\n }\n}\n<\/code><\/pre>\n\n\n\nCreate Kibana Data View<\/h3>\n\n\n\n You can now create Kibana data view for your custom index to allow you visualize the data.<\/p>\n\n\n\n
Hence, navigate to Management > Kibana > Data Views > Create Data View<\/strong>.<\/p>\n\n\n\nSave the data view.<\/p>\n\n\n\n
Visualize Data on Kibana<\/h3>\n\n\n\n You can now visualize the data on Kibana by navigating to Analytics > Discover<\/strong> and select your data view from the drop down;<\/p>\n\n\n\nAnd there you go!<\/p>\n\n\n\n
You can also follow the guide below to configure Filebeat 8 to write logs to specific Data Stream;<\/p>\n\n\n\n
Configure Filebeat 8 to Write Logs to Specific Data Stream<\/a><\/p>\n\n\n\nOther Tutorials<\/h3>\n\n\n\n Easily Configure Elasticsearch HTTPS Connection<\/a><\/p>\n\n\n\nHow to Fix Filebeat Glibc Related Errors on Ubuntu 22.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"This guide will take you through how to configure Filebeat 8 to write logs to specific index. Are you collecting logs using Filebeat 8 and<\/p>\n","protected":false},"author":10,"featured_media":17630,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,910,121],"tags":[6981,6977,6982,6978,6980,6979],"class_list":["post-17608","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-elastic-stack","category-howtos","tag-change-filebeat-index","tag-change-index-in-elasticsearch","tag-configure-filebeat-8-to-write-logs-to-specific-index","tag-custom-index-in-filebeat","tag-elasticsearch-8-custom-index","tag-write-data-to-custom-index-in-filebeat-8","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17608"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=17608"}],"version-history":[{"count":11,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17608\/revisions"}],"predecessor-version":[{"id":20832,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17608\/revisions\/20832"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/17630"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=17608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=17608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=17608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}