Following on from my previous question (15291), our JSON extractor is now running, but there is another issue.
We are extracting from Zeek data colelcted form Security Onion 16.04, and the format is JSON.
The http data has an option field, status_code, in Zeek, which mostly contains a number, but sometimes is missing. The data is being stored as compound(long,string) , even after forcing the index to rotate.
I would be OK with forcing the status_code to 0 if it was missing, but there seems to be no way to configure the JSON extractor to do that.
Is there another way that would work?