OK, so in elasticsearch you have three documents, which means in logstash you will have three separate events. What ties them together? Is it originLogId?
Do you want a fourth document that contains the three strings in a single field?
[ "Identity merged", "Identity Accepted", "Identity Rejected" ]
This can be done using an aggregate filter.
If you want all three documents updated with that then I am unsure whether that can be done.
Also, "Identity merged" comes from the [service] field, not the [result] field. How should logstash know which field to look in? Should it just test both and use whichever one starts with Identity?