Skip to content

[winlogbeat] lowercase and despace/dehyphen all field names before processing #49567

New issue
New issue
Open
Open
[winlogbeat] lowercase and despace/dehyphen all field names before processing#49567
Labels
needs_teamIndicates that the issue/PR needs a Team:* label
@ash-darin

Description

@ash-darin
ash-darin
opened on Mar 19, 2026

Describe the problem

Windows logs fields with various diverging field names:

IPAddress
IpAddress
Ipaddress
ipAdress

Win32 Error
win32Error
Win32Error

Powershell-ID
PowershellID

are all real field names that result in separate fields in Elasticsearch.

Describe the enhancement:

lowercase all field names and remove spaces (" ") and hyphens ("-") befor processing them. This should significantly cut down on issues with duplicate fields that defy standardization.

Describe a specific use case for the enhancement or feature:
Be able to work with more uniform field names.

Describe drawbacks
This would be a breaking change that would need refactoring of user dashboards.

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs_teamIndicates that the issue/PR needs a Team:* label

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions