Yes mine are there too. I should clarify more. It seems to be an issue with fields that have a dot as the last special character. So “seen.where” from Intel or “basic_constraints.ca” from x509. Those fields don’t seem to be indexed in the new version.
This isn’t directly relevant to the original question, but it bit me: Elasticsearch field names that contain a “.” require extra work if you’re querying them from one of the language APIs that uses the dot as a dereference character. I wrote a blog post about this a while back:
https://jayswan.github.io/2015/03/01/searching-raw-fields-with-python/
If you plan to do a lot of work with Bro logs in Elasticsearch from the language clients, it’s a good thing to be aware of.
Jay
It has some interesting changes
https://www.elastic.co/downloads/past-releases/elasticsearch-2-0-0
I’m having trouble with 2.0 too but it works great with 1.7.