ja4 ignore empty strings

2025-12-22 00:43:09 +01:00 · 2025-07-17 10:47:00 -05:00
parent b3eb06f53e
commit c29f11863e
6 changed files with 10 additions and 10 deletions
--- a/salt/elasticsearch/files/ingest/zeek.ja4ssh
+++ b/salt/elasticsearch/files/ingest/zeek.ja4ssh
@@ -4,7 +4,7 @@
    {"set": {"field": "event.dataset","value": "ja4ssh"}},
    {"remove": {"field": "host","ignore_missing": true,"ignore_failure": true}},
    {"json": {"field": "message","target_field": "message2","ignore_failure": true}},
-    {"rename": {"field": "message2.ja4ssh", "target_field": "ja4.ja4ssh", "ignore_missing": true}},
+    {"rename": {"field": "message2.ja4ssh", "target_field": "hash.ja4ssh", "ignore_missing": true, "if": "ctx?.message2?.ja4ssh != null && ctx.message2.ja4ssh.length() > 0" }},
    {"pipeline": {"name": "zeek.common"}}
  ]
 }