you can add more debug() to your function to look at the the fields that set_fields() should have created…
debug(concat("+++++++ pc_name is :", to_string(message.pc_name)));
debug(concat("+++++++ user_name is :", to_string(message.user_name)));
debug(concat("+++++++ file_name is :", to_string(message.file_name)));
debug(concat("+++++++ operation is :", to_string(message.operation)));
I would be surprised if they are not created, if so there is some unregistered typo in your set_fields() function or there is something messed with further down the line before it is stored in Elastic.
I don’t think it’s an issue with your Input, we have already proven that it arrives, gets into stream, pipeline, and rule since the right data shows with the debug() of the results of the key_value()
Is there anything else you are doing to the message? Any other rules or pipelines that are working on it before or after?