In the article for https://www.elastic.co/blog/bro-ids-elastic-stack (great article by the way) may want to note to users that if they are continuously updating a file, that the dictionary_path in translate points at, that they should either add
periodic_flush => "true"
or restart logstash after file is updated.
Is that the correct way to go about making sure changes to a dictionary_path are implemented or is there a more efficient way?