From 00b3882d18017c5a88177d5a8d518a1f096c7b2a Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Fri, 3 Nov 2023 13:06:50 -0400
Subject: [PATCH] Update logstash filter

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
---
 logstash.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/logstash.rst b/logstash.rst
index 7a08fd10..997fae8f 100644
--- a/logstash.rst
+++ b/logstash.rst
@@ -58,7 +58,7 @@ For example, to forward all :ref:`zeek` events from the ``dns`` dataset, we coul
 ::
 
             output {
-              if [module] =~ "zeek" and [dataset] =~ "dns" {
+              if [event][module] == "zeek" and [pipeline] == "dns" {
                 udp {
                   id => "cloned_events_out"
                   host => "192.168.x.x"