data_stream: dataset: {{data_stream.dataset}} paths: {{#each paths as |path i|}} - {{path}} {{/each}} exclude_files: ['\.gz$'] tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} {{#each tags as |tag|}} - {{tag}} {{/each}} {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} allow_deprecated_use: true processors: {{#if preprocessors}} - copy_fields: fields: - from: "message" to: "@metadata.event_original" {{preprocessors}} {{/if}} - rename: fields: - {from: "message", to: "event.original"} - decode_cef: field: event.original {{#if decode_cef_timezone}} timezone: "{{ decode_cef_timezone }}" {{/if}} {{#if ignore_empty_values }} ignore_empty_values: true {{/if}} {{#if preprocessors}} - convert: mode: rename fields: - from: "@metadata.event_original" to: "event.original" {{/if}} {{#if processors}} {{processors}} {{/if}}