{
    "description": "zeek.analyzer",
    "processors": [
        {
            "set": {
                "field": "event.dataset",
                "value": "analyzer"
            }
        },
        {
            "remove": {
                "field": [
                    "host"
                ],
                "ignore_failure": true
            }
        },
        {
            "json": {
                "field": "message",
                "target_field": "message2",
                "ignore_failure": true
            }
        },
        {
            "set": {
                "field": "network.protocol",
                "copy_from": "message2.analyzer_name",
                "ignore_empty_value": true,
                "if": "ctx?.message2?.analyzer_kind == 'protocol'"
            }
        },
        {
            "set": {
                "field": "network.protocol",
                "ignore_empty_value": true,
                "if": "ctx?.message2?.analyzer_kind != 'protocol'",
                "copy_from": "message2.proto"
            }
        },
        {
            "lowercase": {
                "field": "network.protocol",
                "ignore_missing": true,
                "ignore_failure": true
            }
        },
        {
            "rename": {
                "field": "message2.failure_reason",
                "target_field": "error.reason",
                "ignore_missing": true
            }
        },
        {
            "pipeline": {
                "name": "zeek.common"
            }
        }
    ]
}