Hi, i have some logs indexed in elasticsearch by logstash that provides two types of events:
{
"@timestamp": "Nov 23, 2023 @ 15:24:33.064",
"Detection ID": "ldt:87654321",
"logSource": "CS Detection",
"src": "0.0.0.0",
"usrName": "user.of.detection.log",
"New State": "new"
}
{
"@timestamp": "Nov 23, 2023 @ 15:28:55.953",
"Detection ID": "ldt:87654321",
"New State": "closed",
"Operation Name": "detection_update",
"logSource": "CS Audit",
"src": "0.0.0.0",
"usrName": "user.from.audit.log"
}
The first log (CS Detection) would be a main event and the second log (CS Audit) would be an update of the main event, although the data and information are not the same.
Once the second log is indexed, I would like it to be checked whether the Detection ID field has the same value in both logs, in addition to checking in the second log whether the "Operation Name" field has the value "detection_update".
If these conditions were met, I would like the value of the "New State" field to be updated in the Detection log with the value of the "New State" field of the Audit log, in addition to returning the value of the "usrName" field of the Audit log and adding it to the field "Assigned To" from the Detection log.
Expected outcome:
{
"@timestamp": "Nov 23, 2023 @ 15:24:33.064",
"Assigned To": "user.from.audit.log",
"Detection ID": "ldt:87654321",
"logSource": "CS Detection",
"src": "0.0.0.0",
"usrName": "user.of.detection.log",
"New State": "closed"
}
It's possible?