common.yml

description: Pipeline for parsing google_workspace logs
processors:
  - uri_parts:
      field: url.full
      ignore_failure: true
      if: ctx?.url?.full != null
  - geoip:
      field: source.ip
      target_field: source.geo
      ignore_missing: true
  - geoip:
      database_file: GeoLite2-ASN.mmdb
      field: source.ip
      target_field: source.as
      properties:
        - asn
        - organization_name
      ignore_missing: true
  - rename:
      field: source.as.asn
      target_field: source.as.number
      ignore_missing: true
  - rename:
      field: source.as.organization_name
      target_field: source.as.organization.name
      ignore_missing: true
  - remove:
      field: json
      ignore_missing: true
  - set:
      field: event.ingested
      value: "{{ _ingest.timestamp }}"

on_failure:
  - set:
      field: error.message
      value: "{{ _ingest.on_failure_message }}"