From 6f1c2601ac11dca98611404a32141cd8540bf9f6 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 7 Feb 2024 10:21:38 -0700
Subject: [PATCH] work in progress for idaholab/Malcolm#395, malcolm reporting
 capture statistics from zeek/suricata

---
 logstash/pipelines/zeek/12_zeek_mutate.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf
index 9ad57fcdd..4c15084ec 100644
--- a/logstash/pipelines/zeek/12_zeek_mutate.conf
+++ b/logstash/pipelines/zeek/12_zeek_mutate.conf
@@ -2485,7 +2485,7 @@ filter {
     mutate { id => "mutate_add_field_ecs_event_kind_alert"
              add_field => { "[event][kind]" => "alert" } }
   } else if ("_zeekdiagnostic" in [tags]) and ([zeek][stats]) {
-    mutate { id => "mutate_add_field_ecs_event_kind_event"
+    mutate { id => "mutate_add_field_ecs_event_kind_metric"
              add_field => { "[event][kind]" => "metric" } }
   } else {
     mutate { id => "mutate_add_field_ecs_event_kind_event"