# Author: Josh Brower
# Last Update: 12/28/2018
# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column

filter {
  if "osquery" in [tags] and [osquery][columns][eventid] {

        mutate {
     gsub => ["[osquery][columns][data]", "\\x0A", ""]
    }

        json {
      source => "[osquery][columns][data]"
      target => "[osquery][columns][data]"
     }

        mutate {
     merge => { "[osquery][columns]" => "[osquery][columns][data]" }
     remove_field => ["[osquery][columns][data]"]
        }

  }
}