[filebeat][elasticsearch] deprecation, server and slowlog filesets use the wrong subpipeline version

[miltonhultgren]

Since stack version 8:
deprecation, server and slowlog have supported two log formats.
For version 7 of the stack we used a non-ECS JSON format and for version 8 it's a ECS JSON format.

If you look at the 3 pipelines for how they branch into the version 7 or version 8 sub-pipelines, it's all based on if the ecs.version is part of the incoming message.

Current pipeline code:

ctx.message.contains("ecs.version")'

But this doesn't work because ecs.version isn't part of the ECS formatted message that Elasticsearch is outputting.

Compare this to what does work:

ctx.containsKey("ecs.version")'

(since ecs.version is written to the root of the ingested document by the add_fields processor here).

We should update these 3 pipelines to make sure that version 7 goes to the version 7 pipeline and version 8 goes to the version 8 pipeline correctly.

[miltonhultgren]

The pipelines are fine, it seems to be an issue in ESS that the log format is wrong.