Refactor Office 365 filter (v2.0.0) by simplifying the structure.

JocLRojas · JocLRojas · commit 1ef1e72a8013 · 2025-05-16T14:07:31.000-04:00
diff --git a/filters/office365/o365-all.conf b/filters/office365/o365-all.conf
@@ -1,17 +1,19 @@
 filter {
-    if [logx][type] and [logx][type] == "o365" {
+
+# Office 365 version 2.0.0
+
+  	json {
+        source => "message"
+    }
+
+    if ([dataType] == "o365") {
+
         mutate {
-            add_field => {
-                "dataType" => "o365"
-            }
-            add_field => {
-                "dataSource" => "o365"
-            }
+            rename => {"[logx][tenant]" => "[logx][o365][tenant]"}
         }
 
         mutate {
-            remove_field => ["headers", "[logx][type]", "@version", "global", "es_metadata_id"]
+            remove_field => ["headers", "@version", "global"]
         }
-
     }
 }
