From 7c73b4713f6bb302ae8c072020604bcbf84c9a54 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Fri, 14 Nov 2025 15:41:54 -0600
Subject: [PATCH] update analyzer pipeline

---
 salt/elasticsearch/files/ingest/zeek.analyzer | 89 +++++--------------
 1 file changed, 21 insertions(+), 68 deletions(-)

diff --git a/salt/elasticsearch/files/ingest/zeek.analyzer b/salt/elasticsearch/files/ingest/zeek.analyzer
index 7b0c3dfa7..aa743b0ee 100644
--- a/salt/elasticsearch/files/ingest/zeek.analyzer
+++ b/salt/elasticsearch/files/ingest/zeek.analyzer
@@ -1,10 +1,10 @@
 {
-    "description": "zeek.dpd",
+    "description": "zeek.analyzer",
     "processors": [
         {
             "set": {
                 "field": "event.dataset",
-                "value": "dpd"
+                "value": "analyzer"
             }
         },
         {
@@ -23,75 +23,28 @@
             }
         },
         {
-            "dot_expander": {
-                "field": "id.orig_h",
-                "path": "message2",
+            "set": {
+                "field": "network.protocol",
+                "copy_from": "message2.analyzer_name",
+                "ignore_empty_value": true,
+                "if": "ctx?.message2?.analyzer_kind == 'protocol'"
+            }
+        },
+        {
+            "set": {
+                "field": "network.protocol",
+                "ignore_empty_value": true,
+                "if": "ctx?.message2?.analyzer_kind != 'protocol'",
+                "copy_from": "message2.proto"
+            }
+        },
+        {
+            "lowercase": {
+                "field": "network.protocol",
+                "ignore_missing": true,
                 "ignore_failure": true
             }
         },
-        {
-            "rename": {
-                "field": "message2.id.orig_h",
-                "target_field": "source.ip",
-                "ignore_missing": true
-            }
-        },
-        {
-            "dot_expander": {
-                "field": "id.orig_p",
-                "path": "message2",
-                "ignore_failure": true
-            }
-        },
-        {
-            "rename": {
-                "field": "message2.id.orig_p",
-                "target_field": "source.port",
-                "ignore_missing": true
-            }
-        },
-        {
-            "dot_expander": {
-                "field": "id.resp_h",
-                "path": "message2",
-                "ignore_failure": true
-            }
-        },
-        {
-            "rename": {
-                "field": "message2.id.resp_h",
-                "target_field": "destination.ip",
-                "ignore_missing": true
-            }
-        },
-        {
-            "dot_expander": {
-                "field": "id.resp_p",
-                "path": "message2",
-                "ignore_failure": true
-            }
-        },
-        {
-            "rename": {
-                "field": "message2.id.resp_p",
-                "target_field": "destination.port",
-                "ignore_missing": true
-            }
-        },
-        {
-            "rename": {
-                "field": "message2.proto",
-                "target_field": "network.protocol",
-                "ignore_missing": true
-            }
-        },
-        {
-            "rename": {
-                "field": "message2.analyzer",
-                "target_field": "observer.analyzer",
-                "ignore_missing": true
-            }
-        },
         {
             "rename": {
                 "field": "message2.failure_reason",