Thank you for immediate replay. If this work in ruby then provide ruby code or else using kv filter the field can create?
Below is the json format data
{"schemaVersion":"2.0","accountId":"234156789","region":"ca-west-1","partition":"aws","id":"4dfgjkmnby67093sdfvhnm7","arn":"arn:aws:datasource:ca-west-1:234156789:detectortgrfde67aef0db43a6600995eea0fe2/finding/4cb78d76f9fa922fdbe8dc4a765997a9","type":"Recon:EC2/PortProbeUnprotectedPort","resource":{"resourceType":"Instance","instanceDetails":{"instanceId":"i-45tgbfd3","instanceType":"m3.xlarge","launchTime":"2019-09-23T23:20:46Z","platform":null,"productCodes":[],"iamInstanceProfile":null,"networkInterfaces":[],"outpostArn":null,"tags":[{"key":"Environment","value":"true"},{"key":"nga","value":"llo"},{"key":"Name","value":"et"},{"key":"llo","value":"UltraRecursive.net"},{"key":"EOP","value":"19.21.65.1"}],"instanceState":"running","availabilityZone":"ca-west-1b","imageId":"ami-45tgfe34","imageDescription":"null"}},"service":{"serviceName":"datasource","detectorId":"4cb78d76f9fa922fdbe8dc4a765997a9","action":{"actionType":"PORT_PROBE","portProbeAction":{"portProbeDetails":[{"localPortDetails":{"port":80,"portName":"HTTP"},"remoteIpDetails":{"ipAddressV4":"193.80.17.56","organization":{"asn":"45678","asnOrg":"ipinc","isp":"ip inc","org":"ip inc"},"country":{"countryName":"Netherlands"},"city":{"cityName":""},"geoLocation":{"lat":2.3824,"lon":89.95}}}],"blocked":false}},"resourceRole":"TARGET","additionalInfo":{"threatName":"Scanner","threatListName":"ProofPoint"},"evidence":{"threatIntelligenceDetails":[{"threatNames":["Scanner"],"threatListName":"ProofPoint"}]},"eventFirstSeen":"2019-12-18T21:20:17Z","eventLastSeen":"2020-07-21T17:55:27Z","archived":false,"count":15022},"severity":2,"createdAt":"2019-12-18T21:33:19.733Z","updatedAt":"2020-07-21T18:05:18.984Z","title":"Unprotected port on EC2 instance i-45tgbfd3 is being probed.","description":"EC2 instance has an unprotected port which is being probed by a known malicious host."}
The field should be below format
aws.datasource.resource.instanceDetails.tags : Environment:<value1>;nga:<value2>;Name:<value3> etc.,