securityonion/salt/elasticsearch/files/ingest/zeek.cip

{
  "description" : "zeek.cip",
  "processors" : [
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.is_orig", 		"target_field": "cip.is.origin",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.cip_sequence_count", 	"target_field": "cip.sequence_count",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.direction", 		"target_field": "cip.direction",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.cip_service_code", 	"target_field": "cip.service_code",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.cip_service", 		"target_field": "cip.service",		"ignore_missing": true 	} },
    { "convert":         { "field": "cip.service",       "type": "string",                     "ignore_missing": true  } },
    { "rename": 	{ "field": "message2.cip_status", 	"target_field": "cip.status_code",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.class_id", 		"target_field": "cip.request.path.class.id",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.class_name", 		"target_field": "cip.request.path.class.name",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.instance_id", 		"target_field": "cip.request.path.instance.id",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.attribute_id", 		"target_field": "cip.request.path.attribute.id",		"ignore_missing": true 	} },
    { "pipeline":       { "name": "zeek.common"                                                                                   } }
  ]
}