avoid OpenSearch search shard failures by including unspecified roles in indexes during NetBox enrichment

[niavasha]

Problem

OpenSearch shard failures occur when aggregating on source.device.role field because the field exists in index mappings but contains no data. NetBox-enriched documents were missing the role field entirely, even though devices in NetBox have roles assigned (including the default "Unspecified" role).

Root Cause

The crush() function in /logstash/ruby/netbox_enrich.rb was filtering out any values equal to "Unspecified" or "unspecified" (lines 800-805). Since most auto-populated devices in NetBox get assigned the "Unspecified" role by default, this caused the role field to be removed from enrichment results before being written to OpenSearch.

Solution

Modified the crush() function to preserve the role field even when its value is "Unspecified". This ensures the field is always populated for proper aggregation support.

Testing

1. Updated the Ruby script in the Logstash container
2. Restarted Logstash to load the changes
3. Verified new documents contain source.device.role field with "Unspecified" value
4. Confirmed OpenSearch aggregations on the role field no longer cause shard failures

Verification Query

curl -k -u admin:password 'https://localhost:9200/arkime_sessions3-*/_search?size=1' \
  -H 'Content-Type: application/json' \
  -d '{
    "query": {
      "bool": {
        "must": [
          {"term": {"event.dataset": "conn"}},
          {"range": {"@timestamp": {"gte": "now-30m"}}}
        ]
      }
    },
    "_source": ["source.device.role", "related.role"]
  }'

Expected Result

Documents now include:

{
  "source": {
    "device": {
      "role": ["Unspecified"]
    }
  },
  "related": {
    "role": ["Unspecified"]
  }
}

Impact

• Fixes OpenSearch shard failures when aggregating on device role fields
• Enables proper role-based filtering and analysis in dashboards
• Maintains backward compatibility with existing NetBox enrichment logic
• Preserves the "Unspecified" value which is semantically important for inventory tracking

Related Issues

• Addresses shard failures on source.device.role aggregations
• Ensures complete NetBox device metadata is available for analysis
• Supports inventory management use cases requiring role-based device categorization

[mmguero]

Thanks for the explanation and PR, I'll get the commit pulled in for the next release.

[mmguero]

I've pulled your commits, with attribution, from your branch into our development branch. It'll be merged into this repo as part of the v25.08.1 release. Even though I'm closing this PR without merging, your changes will be in effect when it's released next week.