From 54b7ad81e2b08b0605eb65b5105b91d369f43028 Mon Sep 17 00:00:00 2001
From: fabio <fabio.germann@gmail.com>
Date: Wed, 10 Jul 2019 14:23:06 +0000
Subject: [PATCH] Compatibility with Logstash 7.2

Previous version didn' t work for me in logstash 7. The to_hash method was not found and also not needed as the above split already creates an array.
---
 2110_filter_section_k_parse_matchedRules.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/2110_filter_section_k_parse_matchedRules.conf b/2110_filter_section_k_parse_matchedRules.conf
index 525ea8a..2671d4a 100644
--- a/2110_filter_section_k_parse_matchedRules.conf
+++ b/2110_filter_section_k_parse_matchedRules.conf
@@ -14,6 +14,7 @@ filter {
       # hack.. @see https://logstash.jira.com/browse/LOGSTASH-1331
       mutate {
         gsub => [ "rawSectionK", "\n", "~" ]
+        gsub => [ "rawSectionK", "(~+)", "~" ]
         split => [ "rawSectionK" , "~" ]
       }
 
@@ -24,7 +25,7 @@ filter {
       ruby {
         code => "
             secRuleIds = Array.new()
-            matchedRules_array = event.get('matchedRules').to_hash
+            matchedRules_array = event.get('matchedRules')
             matchedRules_array.each do |entry|
               if entry.match(/^SecRule /) and entry.match(/,id:/)
                 secRuleIds.push(/,id:(?<ruleId>\d+)/.match(entry)[:ruleId])