Input packages: dataset var and dotted index patterns#17924
Open
marc-gr wants to merge 4 commits intoelastic:mainfrom
Open
Input packages: dataset var and dotted index patterns#17924marc-gr wants to merge 4 commits intoelastic:mainfrom
marc-gr wants to merge 4 commits intoelastic:mainfrom
Conversation
This was referenced Mar 20, 2026
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
andrewkroh
added
Integration:unifiedlogs
|
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
|
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
jsoriano
requested changes
Mar 20, 2026
Member
jsoriano
left a comment
jsoriano
left a comment
There was a problem hiding this comment.
I think only the change in the configuration template is needed. Data streams and input patterns should be managed by Fleet.
packages/unifiedlogs/elasticsearch/index_template/template.json
Outdated
Show resolved
Hide resolved
marc-gr
force-pushed
the
input-template-fixes
branch
from
89804c1 to
6c92105
Compare
Contributor
Author
|
Yes I realized it was missing after the fact. This feels like prone to error though, would be interesting to enforce it somehow |
jsoriano
approved these changes
Mar 20, 2026
andrewkroh
removed
Integration:winlog
- Policy tests for default (unifiedlogs.generic) and custom (elastic_agent.test) datasets - Expose data_stream.dataset in manifest for Fleet (aligned with filestream/cel) - Bump package to 0.4.2
💚 Build Succeeded
History
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses #15295 for the Custom macOS Unified Logs (
unifiedlogs) input package by making the dataset configurable and visible in Fleet, and by ensuring the agent input config receivesdata_stream.dataset(same idea as other input packages, e.g. winlog).Changes (unifiedlogs only)
manifest.yml: adddata_stream.dataset(defaultunifiedlogs.generic, required, user-visible).agent/input/unifiedlogs.yml.hbs: emitdata_stream.datasetunderdata_stream:so Fleet-generated policies pass the dataset through to the agent.changelog.yml: version bump + entry (see PR)._dev/test/policy/): default dataset vs custom dataset (elastic_agent.test) to lock in the generated Fleet/agent policy shape.Related