diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json index 85a3d591978..e1fcf7c0c6e 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json @@ -256,23 +256,9 @@ } }, { - "set": { - "if": "ctx.suricata?.eve?.event_type == \"alert\"", - "field": "event.kind", - "value": "alert" - } - }, - { - "set": { - "if": "ctx.suricata?.eve?.event_type != \"alert\"", - "field": "event.kind", - "value": "event" - } - }, - { - "set": { - "field": "event.category", - "value": "network_traffic" + "script": { + "lang": "painless", + "source": "def t = ctx.suricata?.eve?.event_type; if (t == \"stats\") {\n ctx['event']['kind'] = \"metric\";\n} else if (t == \"alert\") {\n ctx['event']['kind'] = \"alert\";\n ctx['event']['category'] = \"network_traffic\";\n} else {\n ctx['event']['kind'] = \"event\";\n ctx['event']['category'] = \"network_traffic\";\n}" } } ], diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 3cb37412bbe..82c1fd66725 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -197,10 +197,9 @@ { "@timestamp": "2018-07-05T19:51:23.009Z", "ecs.version": "1.0.0-beta2", - "event.category": "network_traffic", "event.dataset": "suricata.eve", "event.end": "2018-07-05T19:51:23.009Z", - "event.kind": "event", + "event.kind": "metric", "event.module": "suricata", "fileset.name": "eve", "input.type": "log",