elastic · brijesh-elastic · Nov 12, 2025 · Nov 12, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.47.2"
+  changes:
+    - description: Discard events that are missing the `items[]` field during the split operation and are returned as the root object.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15948
 - version: "2.47.1"
   changes:
     - description: Fix handling of `google_workspace.gmail.message_info.post_delivery_info.interaction.attachment` records.

@@ -111,4 +111,4 @@
             }
         }
     ]
-}
+}
@@ -32,6 +32,10 @@ processors:
         - append:
             field: error.message
             value: '{{{_ingest.on_failure_message}}}'
+  - drop:
+      if: ctx.json?.events == null
+      description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+      tag: drop_empty_events
   - set:
       field: event.kind
       value: [event]

@@ -1,32 +1,32 @@
 {
     "@timestamp": "2020-10-02T15:00:00.000Z",
     "agent": {
-        "ephemeral_id": "e3f2296a-a4a2-4d03-9105-cee5b37c1408",
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "e71ef9cb-072e-48d2-9130-96f1d4bce4d3",
+        "id": "2da80338-c8c6-4300-9470-025fe55de0c1",
+        "name": "elastic-agent-58418",
         "type": "filebeat",
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "data_stream": {
         "dataset": "google_workspace.access_transparency",
-        "namespace": "83912",
+        "namespace": "21501",
         "type": "logs"
     },
     "ecs": {
-        "version": "8.11.0"
+        "version": "8.16.0"
     },
     "elastic_agent": {
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+        "id": "2da80338-c8c6-4300-9470-025fe55de0c1",
         "snapshot": false,
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "event": {
         "action": "APPLICATION_EVENT",
         "agent_id_status": "verified",
-        "created": "2024-08-01T21:50:19.274Z",
+        "created": "2025-11-12T09:20:36.555Z",
         "dataset": "google_workspace.access_transparency",
         "id": "1",
-        "ingested": "2024-08-01T21:50:31Z",
+        "ingested": "2025-11-12T09:20:39Z",
         "kind": [
             "event"
         ],
@@ -130,4 +130,4 @@
         "id": "1",
         "name": "foo"
     }
-}
+}
@@ -31,6 +31,10 @@ processors:
   - json:
       field: event.original
       target_field: json
+  - drop:
+      if: ctx.json?.events == null
+      description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+      tag: drop_empty_events
   - set:
       field: event.kind
       value: event

@@ -1,24 +1,24 @@
 {
     "@timestamp": "2022-04-04T15:04:05.000Z",
     "agent": {
-        "ephemeral_id": "e64e710c-e02b-4997-bb7e-83b936dd6aa5",
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "14b6ad66-8af9-429d-b327-3fee869369e5",
+        "id": "752f45e8-5f63-4dca-ab63-ec8e8f790d4a",
+        "name": "elastic-agent-14522",
         "type": "filebeat",
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "data_stream": {
         "dataset": "google_workspace.admin",
-        "namespace": "62273",
+        "namespace": "51420",
         "type": "logs"
     },
     "ecs": {
-        "version": "8.11.0"
+        "version": "8.16.0"
     },
     "elastic_agent": {
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+        "id": "752f45e8-5f63-4dca-ab63-ec8e8f790d4a",
         "snapshot": false,
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "event": {
         "action": "CHANGE_APPLICATION_SETTING",
@@ -27,10 +27,10 @@
             "iam",
             "configuration"
         ],
-        "created": "2024-08-01T21:51:15.529Z",
+        "created": "2025-11-12T09:21:44.692Z",
         "dataset": "google_workspace.admin",
         "id": "1",
-        "ingested": "2024-08-01T21:51:27Z",
+        "ingested": "2025-11-12T09:21:47Z",
         "kind": "event",
         "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"[email protected]\",\"profileId\":1},\"events\":{\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"[email protected]\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}],\"type\":\"APPLICATION_SETTINGS\"},\"id\":{\"applicationName\":\"admin\",\"customerId\":\"1\",\"time\":\"2022-04-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
         "provider": "admin",
@@ -117,4 +117,4 @@
             }
         }
     }
-}
+}
@@ -1333,4 +1333,4 @@
             ]
         }
     ]
-}
+}
@@ -105,4 +105,4 @@
             }
         }
     ]
-}
+}
@@ -32,6 +32,10 @@ processors:
         - append:
             field: error.message
             value: '{{{_ingest.on_failure_message}}}'
+  - drop:
+      if: ctx.json?.events == null
+      description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+      tag: drop_empty_events
   - set:
       field: event.kind
       value: [event]

@@ -1,32 +1,32 @@
 {
     "@timestamp": "2020-10-02T15:00:00.000Z",
     "agent": {
-        "ephemeral_id": "6fde0a21-1448-4531-a5c9-42751772e3a7",
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "01101cd7-b942-4061-8dcf-8488f5b64461",
+        "id": "10bdbb6c-0cff-4af9-866d-64a6bb61e845",
+        "name": "elastic-agent-67948",
         "type": "filebeat",
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "data_stream": {
         "dataset": "google_workspace.context_aware_access",
-        "namespace": "14973",
+        "namespace": "38010",
         "type": "logs"
     },
     "ecs": {
-        "version": "8.11.0"
+        "version": "8.16.0"
     },
     "elastic_agent": {
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+        "id": "10bdbb6c-0cff-4af9-866d-64a6bb61e845",
         "snapshot": false,
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "event": {
         "action": "APPLICATION_EVENT",
         "agent_id_status": "verified",
-        "created": "2024-08-01T21:53:36.823Z",
+        "created": "2025-11-12T09:23:14.570Z",
         "dataset": "google_workspace.context_aware_access",
         "id": "1",
-        "ingested": "2024-08-01T21:53:48Z",
+        "ingested": "2025-11-12T09:23:17Z",
         "kind": [
             "event"
         ],
@@ -124,4 +124,4 @@
         "id": "1",
         "name": "foo"
     }
-}
+}
@@ -32,6 +32,10 @@ processors:
         - append:
             field: error.message
             value: '{{{_ingest.on_failure_message}}}'
+  - drop:
+      if: ctx.json?.events == null
+      description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+      tag: drop_empty_events
   - set:
       field: event.kind
       value: [event]

@@ -1,32 +1,32 @@
 {
     "@timestamp": "2020-10-02T15:00:00.000Z",
     "agent": {
-        "ephemeral_id": "9875ab07-088d-4ff3-8cfe-daa3a497cf78",
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "7aa421c8-d815-4e38-bd60-cb57bc5846b5",
+        "id": "60de190d-6628-47a3-afea-6a73703cb75b",
+        "name": "elastic-agent-72403",
         "type": "filebeat",
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "data_stream": {
         "dataset": "google_workspace.device",
-        "namespace": "89096",
+        "namespace": "60770",
         "type": "logs"
     },
     "ecs": {
-        "version": "8.11.0"
+        "version": "8.16.0"
     },
     "elastic_agent": {
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+        "id": "60de190d-6628-47a3-afea-6a73703cb75b",
         "snapshot": false,
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "event": {
         "action": "APPLICATION_EVENT",
         "agent_id_status": "verified",
-        "created": "2024-08-01T21:54:32.984Z",
+        "created": "2025-11-12T09:24:24.919Z",
         "dataset": "google_workspace.device",
         "id": "1",
-        "ingested": "2024-08-01T21:54:44Z",
+        "ingested": "2025-11-12T09:24:27Z",
         "kind": [
             "event"
         ],
@@ -186,4 +186,4 @@
         "id": "1",
         "name": "foo"
     }
-}
+}
@@ -34,3 +34,4 @@
 {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"[email protected]","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"publish_change","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"new_publish_visibility","value":"nobody"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"[email protected]"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"private"},{"name":"old_publish_visibility","value":"public_in_the_domain"}]}}
 {"actor":{"email":"[[email protected]](mailto:[email protected])","profileId":"987654"},"etag":"-xyz1234567890/abcdefg","events":{"name":"email_as_attachment","parameters":[{"name":"target","value":"[[email protected]](mailto:[email protected])"},{"name":"target_user","value":"[[email protected]](mailto:[email protected])"},{"boolValue":true,"name":"primary_event"},{"boolValue":true,"name":"billable"},{"boolValue":false,"name":"owner_is_shared_drive"},{"name":"owner","value":"[[email protected]](mailto:[email protected])"},{"name":"doc_id","value":"doc123-456"},{"name":"doc_type","value":"spreadsheet"},{"boolValue":false,"name":"is_encrypted"},{"name":"doc_title","value":"Quarterly Report"},{"name":"visibility","value":"shared_externally"},{"boolValue":false,"name":"actor_is_collaborator_account"},{"boolValue":false,"name":"owner_is_team_drive"}],"type":"access"},"id":{"applicationName":"drive","customerId":"customer12345","time":"2024-07-29T12:34:56.789Z","uniqueQualifier":"4567890"},"kind":"admin#reports#activity"}
 {"actor":{"applicationInfo":{"applicationName":"ToolName","impersonation":true,"oauthClientId":"1111111111111111111111"},"email":"[email protected]","profileId":"222222222222222222222222"},"etag":"\"ABCABCjsATuh9FxZMWuZ372Q1A9Fq11Q7OMecpK3QDU/QZbJ3HVExjF3JuhAD4Gb91V85Dc\"","events":{"name":"access_item_content","parameters":[{"boolValue":true,"name":"billable"},{"boolValue":true,"name":"primary_event"},{"boolValue":false,"name":"owner_is_shared_drive"},{"name":"owner","value":"[email protected]"},{"name":"doc_id","value":"abcabcQ3vLf7CmBtwYRpKe2u1WgHNJq0MsdA"},{"name":"doc_type","value":"png"},{"boolValue":false,"name":"is_encrypted"},{"name":"doc_title","value":"file_docname.png"},{"name":"visibility","value":"private"},{"name":"originating_app_id","value":"333333333333"},{"name":"api_method","value":"drive.comments.list"},{"boolValue":false,"name":"actor_is_collaborator_account"},{"boolValue":false,"name":"owner_is_team_drive"}],"resourceIds":["abcabcLf7CmBtwYRpKe2u1WgHNJq0MsdA"],"type":"access"},"id":{"applicationName":"drive","customerId":"abc134abc123","time":"2025-07-25T06:45:36.066Z","uniqueQualifier":"4444444444444444444"},"kind":"admin#reports#activity","resourceDetails":[{"id":"abcabcLf7CmBtwYRpKe2u1WgHNJq0MsdA","relation":"DRIVE_PRIMARY","title":"file_docname.png","type":"DRIVE_ITEM"}]}
+{"etag":"qPverjhbgkl-7y-wjhfuvje_FEvhqerer_Rawg5Fgrg/sfiygsYUGSDJhvsdlJHVBSDKJV9bri7t32N_SHi4bjhcu2nbJh","kind":"admin#reports#activities","nextPageToken":"W3:KUYfvkfjBYUVFHKE7jhbf9cijbf89YYUCBA09cbajdhoy9JBBIhhIUGliugf78UVugi78FUYv8UGi8gkb-ajkbVUKcvfhasjvVJVDSA"}
@@ -3310,6 +3310,7 @@
                 "id": "222222222222222222222222",
                 "name": "johndoe"
             }
-        }
+        },
+        null
     ]
 }
@@ -34,6 +34,10 @@ processors:
   - json:
       field: event.original
       target_field: json
+  - drop:
+      if: ctx.json?.events == null
+      description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+      tag: drop_empty_events
   - date:
       field: json.id.time
       if: ctx.json?.id?.time != null && ctx.json.id.time != ''
@@ -211,7 +215,7 @@ processors:
   - rename:
       field: google_workspace.drive.target_user
       target_field: google_workspace.drive.target
-      if: ctx.google_workspace.drive.target == null
+      if: ctx.google_workspace?.drive?.target == null
       ignore_missing: true
   - set:
       field: file.type

@@ -1,35 +1,35 @@
 {
     "@timestamp": "2022-05-04T15:04:05.000Z",
     "agent": {
-        "ephemeral_id": "afd0c297-d853-427a-96bc-20af38e5b145",
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "f63cc477-4c17-460f-8a39-f41fc874d461",
+        "id": "b588c116-db18-4768-9791-d2e179c06bbc",
+        "name": "elastic-agent-51764",
         "type": "filebeat",
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "data_stream": {
         "dataset": "google_workspace.drive",
-        "namespace": "99832",
+        "namespace": "47185",
         "type": "logs"
     },
     "ecs": {
-        "version": "8.11.0"
+        "version": "8.16.0"
     },
     "elastic_agent": {
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+        "id": "b588c116-db18-4768-9791-d2e179c06bbc",
         "snapshot": false,
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "event": {
         "action": "add_to_folder",
         "agent_id_status": "verified",
         "category": [
             "file"
         ],
-        "created": "2024-08-01T21:55:29.295Z",
+        "created": "2025-11-12T09:25:35.165Z",
         "dataset": "google_workspace.drive",
         "id": "1",
-        "ingested": "2024-08-01T21:55:41Z",
+        "ingested": "2025-11-12T09:25:38Z",
         "kind": "event",
         "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"[email protected]\",\"profileId\":1},\"events\":{\"name\":\"add_to_folder\",\"parameters\":[{\"boolValue\":false,\"name\":\"billable\"},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"[email protected]\"},{\"boolValue\":false,\"name\":\"owner_is_shared_drive\"},{\"boolValue\":true,\"name\":\"primary_event\"},{\"name\":\"visibility\",\"value\":\"people_with_link\"}],\"type\":\"access\"},\"id\":{\"applicationName\":\"drive\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
         "provider": "drive",
@@ -111,4 +111,4 @@
         "id": "1",
         "name": "foo"
     }
-}
+}
@@ -96,4 +96,4 @@
             }
         }
     ]
-}
+}
@@ -32,6 +32,10 @@ processors:
         - append:
             field: error.message
             value: '{{{_ingest.on_failure_message}}}'
+  - drop:
+      if: ctx.json?.events == null
+      description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+      tag: drop_empty_events
   - set:
       field: event.kind
       value: [event]
-Original file line number
+Diff line change
@@ Expand Up / @@ -111,4 +111,4 @@ @@
                 }
             }
         ]
-    }
+    }