Created
June 28, 2024 20:02
-
-
Save rylnd/b931bebc4a4e3e49daf3781fda80ab0d to your computer and use it in GitHub Desktop.
WIP script to update rules to use event.ingested instead of @timestamp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | |
| # or more contributor license agreements. Licensed under the Elastic License | |
| # 2.0; you may not use this file except in compliance with the Elastic License | |
| # 2.0. | |
| # | |
| set -e | |
| ./check_env_variables.sh | |
| rules_response_json="$(./find_rules.sh)" | |
| rules_json="$(echo "$rules_response_json" | jq -r '.data')" | |
| rules_with_override_json="$(echo "$rules_json" | jq -r 'map(. + { timestamp_override: "event.ingested", timestamp_override_fallback_disabled: true })')" | |
| # echo "rules: $rules_response_json" | |
| # echo "rules_with_override: $rules_with_override_json" | |
| echo "$rules_with_override_json" | jq -c '.[]' | while read rule; do | |
| echo "rule: $rule" | |
| done | |
| echo "done" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment