From 09cf72d50b399dc5cc8348882ee75a60acc8db25 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Tue, 27 Feb 2024 12:00:48 -0700
Subject: [PATCH] work in progress incorporating icsnpp-profinet-io-cm,
 idaholab/Malcolm#429

---
 logstash/pipelines/zeek/11_zeek_parse.conf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
index 034c7e569..2193b6546 100644
--- a/logstash/pipelines/zeek/11_zeek_parse.conf
+++ b/logstash/pipelines/zeek/11_zeek_parse.conf
@@ -2709,6 +2709,13 @@ filter {
                split => { "[zeek_cols][sel_ack]" => "," } }
     }
 
+    if ([zeek_cols][packet_type]) and ((![zeek_cols][operation])       or ([zeek_cols][operation] == '(empty)') or
+                                       ([zeek_cols][operation] == 'unknown') or ([zeek_cols][operation] == '-') or
+                                       ([zeek_cols][operation] == '')) {
+      mutate { id => "mutate_replace_zeek_profinet_io_cm_operation"
+               replace => { "[zeek_cols][operation]" => "%{[zeek_cols][packet_type]}" } }
+    }
+
     mutate {
       id => "mutate_add_fields_zeek_profinet_io_cm"
       add_field => {