Hey @erasedhammer
That would be beyond my capabilities, But when some issues arise like another device sending log into INPUT and they all go to the same index set, easy way would build out the inputs for different devices that would go into their own index set. For example Firewall log go into input called "Firewall /w syslog/UDP”, then route them into index set called firewall logs. Think you get the point.
This will avoid mapping conflicts down the road. This will alos avoid errors called
ElasticsearchException[Elasticsearch exception [type=illegal_argument_exception, reason=Limit of total fields [1000] has been exceeded]]
Unless you have a custom index templates, Elasticsearch/OpenSearch will dynamically map anything it can.
As for JSON pipeline you may want to try to flatten it.
Example from here.
EDIT @erasedhammer i for got to metion , perhaps use a key value, something like this…