Hi,
Hi just want to remove fileld os-changes
"alert": [ { "src":
{ "url": "xxxx",
"domain": "xxxx",
"smtp-mail-from": "xxxxxxxx"
},
"severity": "xxxx",
"dst": { "smtp-to": "xxxxx"
},
"explanation": {
"protocol": "",
"service": "xxxxxx",
"analysis": "binary",
"os-changes": [ {XXXXXXX }] # and want to remove all included in os-changes array, because i contains a lots of data that is only overhead to our system, it should be simple 
}
}
]
I suppose syntax would be
remove_field => ["json","message","[alert][explanation][os-changes]"]
but for some reason it doesn't work, I'm still getting filed os-changes and its subfields.
Dubravko