Hi There is a parameter "fieldNameConverter" in the parser indexing configuration:
fieldNameConverter "Defines how field names are transformed before being written to the index. Only applicable to elasticsearch. Defaults to DEDOT. Acceptable values are DEDOT that replaces all '.' with ':' or NOOP that does not change the field names." https://github.com/apache/metron/blob/master/metron-platform/metron-indexing/metron-indexing-common/README.md#sensor-indexing-configuration Usage example: "elasticsearch": { "batchSize": 100, "enabled": true, "index": "myindex", "fieldNameConverter": "NOOP" }, On 2020/02/01 00:00:04, "Yerex, Tom" <[email protected]> wrote: > Good afternoon, > > > > Our Metron installation uses colons in the field names. For example, geo ip > enriched data appears as “enrichments:geo:ip_dst_addr:country”. Under Kibana > (and from what I read Banana), the colon cannot be properly escaped for use > with Timelion. > > > > My question: has anyone figured out a way to escape colons in their query or > another work around in general? Is there a setting somewhere that can be used > to change the default from a colon to a period or another character? > > > > Thank you, > > > > Tom. > > > >
