Hi,
maybe I am on the completely wrong track but I would expect 1 document: (when event cancel is active I get nothing)
{
"Type" => "REQ_OUT",
"@version" => "1",
"host" => "LGS02",
"ExchangeId" => "260e06a3-9cb5-4154-bf97-637e929fa4c2",
"@timestamp" => 2021-04-14T06:46:29.221Z,
"path" => "/tmp/test.txt"
"REQ_OUT" => {
"timestamp" => "2021-04-02T05:50:45.534Z",
"severity" => "INFO",
...
}
"RESP_IN" => {
"timestamp" => "2021-04-02T05:50:44.251Z",
"severity" => "INFO",
ResponseCode" => "200",
...
}
"@version" => "1",
"host" => "LGS02",
"ExchangeId" => "260e06a3-9cb5-4154-bf97-637e929fa4c2",
"@timestamp" => 2021-04-14T06:46:29.247Z,
"path" => "/tmp/test.txt"
}