Handle event_type:stats as event.kind:metric

elastic · Feb 23, 2019 · f3b893d · f3b893d
1 parent ff5eaf6
commit f3b893d
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 19 deletions.
diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json
@@ -256,23 +256,9 @@
             }
         },
         {
-            "set": {
-                "if": "ctx.suricata?.eve?.event_type == \"alert\"",
-                "field": "event.kind",
-                "value": "alert"
-            }
-        },
-        {
-            "set": {
-                "if": "ctx.suricata?.eve?.event_type != \"alert\"",
-                "field": "event.kind",
-                "value": "event"
-            }
-        },
-        {
-            "set": {
-                "field": "event.category",
-                "value": "network_traffic"
+            "script": {
+                "lang": "painless",
+                "source": "def t = ctx.suricata?.eve?.event_type; if (t == \"stats\") {\n  ctx['event']['kind'] = \"metric\";\n} else if (t == \"alert\") {\n  ctx['event']['kind'] = \"alert\";\n  ctx['event']['category'] = \"network_traffic\";\n} else {\n  ctx['event']['kind'] = \"event\";\n  ctx['event']['category'] = \"network_traffic\";\n}"
             }
         }
     ],

diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json
@@ -197,10 +197,9 @@
     {
         "@timestamp": "2018-07-05T19:51:23.009Z",
         "ecs.version": "1.0.0-beta2",
-        "event.category": "network_traffic",
         "event.dataset": "suricata.eve",
         "event.end": "2018-07-05T19:51:23.009Z",
-        "event.kind": "event",
+        "event.kind": "metric",
         "event.module": "suricata",
         "fileset.name": "eve",
         "input.type": "log",