I am using Graylog to forward my windows events, all the events field names start with winlogbeat, but some are
_event_data_targetname and some are _event_data_Subjectname. This appears to be different based on windows event type.

Can I do a

if winlogbeats_event_data_targetnamedomain  not null then 
                FIELDALIAS-winlogbeat_as_account_domain = winlogbeat_event_data_TargetDomainName as Account_Domain
else
               FIELDALIAS-winlogbeat_as_account_domain = winlogbeat_event_data_SubjectDomainName as Account_Domain

Thanks!