So I've just come back to this and spent the last hour tinkering.
I can't see why this wouldn't be valid but the code never evaluates anything so I'm guessing it is. I can run this against other fields with a positive result but not the message field in a Winlogbeat index.
if(doc["message"].value ==~ /An account was successfully logged on./){
return "test"
}
I'm trying to scan all entries into this index and look for the above mentioned text string in the winlogbeat message field. If I find it, I want an additional field with the contents "test" added to the index record.
Is it not possible to do this with the message field?
It's exactly the same problem as discussed here