{ "dynamic": "false", "properties": { "@timestamp": { "type": "date" }, "message": { "norms": false, "type": "text" }, "tags": { "ignore_above": 1024, "type": "keyword", "meta": { "isArray": "true" } }, "ecs": { "properties": { "version": { "ignore_above": 1024, "type": "keyword" } } }, "error": { "properties": { "code": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "message": { "norms": false, "type": "text" }, "stack_trace": { "doc_values": false, "fields": { "text": { "norms": false, "type": "text" } }, "ignore_above": 1024, "index": false, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" } } }, "event": { "properties": { "action": { "ignore_above": 1024, "type": "keyword" }, "category": { "ignore_above": 1024, "type": "keyword", "meta": { "isArray": "true" } }, "code": { "ignore_above": 1024, "type": "keyword" }, "created": { "type": "date" }, "dataset": { "ignore_above": 1024, "type": "keyword" }, "duration": { "type": "long" }, "end": { "type": "date" }, "hash": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "ingested": { "type": "date" }, "kind": { "ignore_above": 1024, "type": "keyword" }, "module": { "ignore_above": 1024, "type": "keyword" }, "original": { "doc_values": false, "ignore_above": 1024, "index": false, "type": "keyword" }, "outcome": { "ignore_above": 1024, "type": "keyword" }, "provider": { "ignore_above": 1024, "type": "keyword" }, "reason": { "ignore_above": 1024, "type": "keyword" }, "reference": { "ignore_above": 1024, "type": "keyword" }, "risk_score": { "type": "float" }, "risk_score_norm": { "type": "float" }, "sequence": { "type": "long" }, "severity": { "type": "long" }, "start": { "type": "date" }, "timezone": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword", "meta": { "isArray": "true" } }, "url": { "ignore_above": 1024, "type": "keyword" } } }, "log": { "properties": { "level": { "ignore_above": 1024, "type": "keyword" }, "logger": { "ignore_above": 1024, "type": "keyword" } } }, "rule": { "properties": { "author": { "ignore_above": 1024, "type": "keyword", "meta": { "isArray": "true" } }, "category": { "ignore_above": 1024, "type": "keyword" }, "description": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "license": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "reference": { "ignore_above": 1024, "type": "keyword" }, "ruleset": { "ignore_above": 1024, "type": "keyword" }, "uuid": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" } } }, "user": { "properties": { "name": { "fields": { "text": { "norms": false, "type": "text" } }, "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "kibana": { "properties": { "server_uuid": { "type": "keyword", "ignore_above": 1024 }, "task": { "properties": { "id": { "type": "keyword" }, "scheduled": { "type": "date" }, "schedule_delay": { "type": "long" } } }, "alerting": { "properties": { "instance_id": { "type": "keyword", "ignore_above": 1024 }, "action_group_id": { "type": "keyword", "ignore_above": 1024 }, "action_subgroup": { "type": "keyword", "ignore_above": 1024 }, "status": { "type": "keyword", "ignore_above": 1024 }, "outcome": { "type": "keyword", "ignore_above": 1024 }, "summary": { "properties": { "new": { "properties": { "count": { "type": "long" } } }, "ongoing": { "properties": { "count": { "type": "long" } } }, "recovered": { "properties": { "count": { "type": "long" } } } } } } }, "alert": { "properties": { "flapping": { "type": "boolean" }, "maintenance_window_ids": { "type": "keyword", "ignore_above": 1024, "meta": { "isArray": "true" } }, "uuid": { "type": "keyword", "ignore_above": 1024 }, "rule": { "properties": { "consumer": { "type": "keyword", "ignore_above": 1024 }, "execution": { "properties": { "uuid": { "type": "keyword", "ignore_above": 1024 }, "status": { "type": "keyword", "ignore_above": 1024 }, "status_order": { "type": "long" }, "metrics": { "properties": { "number_of_triggered_actions": { "type": "long" }, "number_of_generated_actions": { "type": "long" }, "alert_counts": { "properties": { "active": { "type": "long" }, "new": { "type": "long" }, "recovered": { "type": "long" } } }, "number_of_searches": { "type": "long" }, "total_indexing_duration_ms": { "type": "long" }, "es_search_duration_ms": { "type": "long" }, "total_search_duration_ms": { "type": "long" }, "execution_gap_duration_s": { "type": "long" }, "rule_type_run_duration_ms": { "type": "long" }, "process_alerts_duration_ms": { "type": "long" }, "trigger_actions_duration_ms": { "type": "long" }, "process_rule_duration_ms": { "type": "long" }, "claim_to_start_duration_ms": { "type": "long" }, "persist_alerts_duration_ms": { "type": "long" }, "prepare_rule_duration_ms": { "type": "long" }, "total_run_duration_ms": { "type": "long" }, "total_enrichment_duration_ms": { "type": "long" } } } } }, "revision": { "type": "long" }, "rule_type_id": { "type": "keyword", "ignore_above": 1024 } } } } }, "saved_objects": { "type": "nested", "properties": { "rel": { "type": "keyword", "ignore_above": 1024 }, "namespace": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 }, "type_id": { "type": "keyword", "ignore_above": 1024 }, "space_agnostic": { "type": "boolean" } } }, "space_ids": { "type": "keyword", "ignore_above": 1024, "meta": { "isArray": "true" } }, "version": { "type": "version" }, "action": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "type": "keyword", "ignore_above": 1024 }, "execution": { "properties": { "source": { "ignore_above": 1024, "type": "keyword" }, "uuid": { "ignore_above": 1024, "type": "keyword" }, "gen_ai": { "properties": { "usage": { "properties": { "prompt_tokens": { "type": "long" }, "completion_tokens": { "type": "long" }, "total_tokens": { "type": "long" } } } } } } } } } } } } }