From 3623fdd368d815d4796de00386479f0640a7d3b1 Mon Sep 17 00:00:00 2001
From: Brian Grabau <brian_grabau@cargill.com>
Date: Thu, 24 Oct 2024 12:30:15 -0500
Subject: [PATCH] move removed tmp field up in Azure interactive signon

---
 .../event_hub_audit_azure.event_hub_interactive_signin.conf  | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
index 9b61245d..d89a95a4 100644
--- a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
+++ b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
@@ -24,6 +24,9 @@ filter {
       field => "[tmp][records]"
       target => "az"
     }
+    mutate {
+      remove_field => [ "tmp" ]    
+    }
     mutate {
       replace => { "message" => "%{az}" }
     }
@@ -230,7 +233,7 @@ filter {
   }
   # 
   mutate {
-    remove_field => [ "tmp", "az" ]    
+    remove_field => [ "az" ]    
   }
 }
 output {