import json FIELDS=["process.args", "process.parent.args", "process.command_line", "process.parent.command_line", "process.working_directory", "process.parent.working_directory", "process.executable", "process.parent.executable", "file.path"] PATTERNS=[("/tmp/apt\\.data\\..{6}", "/tmp/apt.data"), ("/tmp/apt\\.sig\\..{6}", "/tmp/apt.sig"), ("/tmp/metadata-scripts.*/startup-script", "/tmp/metadata-scripts/startup-script"), ("/tmp/apt-key-gpghome\\..{10}", "/tmp/apt-key-gpghome"), ("/tmp/detonate\\..{5}", "/tmp/detonate"), ("/var/tmp/dbTemp\\..{6}","/var/tmp/dbTemp"), ("/etc/pki/nssdb/dbTemp\\..{6}","/etc/pki/nssdb/dbTemp")] output = [] for field in FIELDS: for pattern in PATTERNS: obj_out = { "gsub": { "field": field, "pattern": pattern[0], "replacement":pattern[1], "ignore_missing": True } } output.append(obj_out) print(json.dumps(output, indent=4))