I have my logstash config file as below,
input{
file {
type => "json"
path => "D:/a-json.json"
start_position => "beginning"
sincedb_path => "NUL"
mode => "read"
file_completed_action => "log"
file_completed_log_path => "nul"
codec => json
}
}
filter {
json {
source => "message"
}
split{
field => "group"
}
if [group][type] == "Adversary" {
mutate{
add_field => {
"group_name" => "%{[group][name]}"
"tags" => ""
"summary" => ""
}
}
ruby {
code => '
a = event.get("[group][tag]")
if a
s = ""
a.each_index { |x|
s += a[x]["name"]+","
}
event.set("[@metadata][tags]", s)
event.set("tags", s.split(","))
end
'
}
ruby {
code => '
c = event.get("[indicator]")
if c
b = ""
c.each_index { |x|
b += c[x]["summary"]+","
}
event.set("[summary]",b)
event.set("summary", b.split(","))
end
'
}
}
prune {
whitelist_names => ["group_name","tags","summary"]
}
fingerprint {
method => "SHA256"
source => ["group_name"]
target => "[@metadata][generate_id]"
}
}
output {
elasticsearch {
hosts => [ "https://local:9200" ]
user => "******"
password => "*****"
index => "testing"
document_id => "%{[@metadata][generate_id]}"
}
stdout {
codec => rubydebug
}
}
If I am trying to ingest it one time using logstash, I am getting 2 hit in kibana with the following details,
1st hit:_id,type,_index,_score
2nd hit:_id,type,_index,_score,summary,tags,group_name
How to remove the first hit and have one hit alone with all the details?