From c0ea4560fbd8df355d96f910789c1036be176f40 Mon Sep 17 00:00:00 2001
From: Brian Grabau <brian_grabau@cargill.com>
Date: Thu, 24 Oct 2024 11:55:54 -0500
Subject: [PATCH] Added replayc message after split in Azure singin logs

---
 .../event_hub_audit_azure.event_hub_interactive_signin.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
index e15162d5..9b61245d 100644
--- a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
+++ b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
@@ -24,6 +24,12 @@ filter {
       field => "[tmp][records]"
       target => "az"
     }
+    mutate {
+      replace => { "message" => "%{az}" }
+    }
+    json_encode {
+      source => "message"
+    }
   } else {
     mutate {
       rename => { "tmp" => "az"}