- Auditbeat Reference: other versions:
- Overview
- Getting started with Auditbeat
- Setting up and running Auditbeat
- Upgrading Auditbeat
- Configuring Auditbeat
- Specify which modules to run
- Specify general settings
- Reload the configuration dynamically
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode JSON fields
- Decode Base64 fields
- Decompress gzip fields
- Community ID Network Flow Hash
- Convert
- Drop events
- Drop fields from events
- Extract array
- Keep fields from events
- Registered Domain
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Add Observer metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure project paths
- Configure the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- auditbeat.reference.yml
- Modules
- Exported fields
- Monitoring Auditbeat
- Securing Auditbeat
- Troubleshooting
- Get Help
- Debug
- Common problems
- Auditbeat fails to watch folders because too many files are open
- Auditbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Contributing to Beats
IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Dissect strings
editDissect strings
editThe dissect processor tokenizes incoming strings using defined patterns.
processors: - dissect: tokenizer: "%{key1} %{key2}" field: "message" target_prefix: "dissect"
The dissect processor has the following configuration settings:
-
field -
(Optional) The event field to tokenize. Default is
message. -
target_prefix -
(Optional) The name of the field where the values will be extracted. When an empty
string is defined, the processor will create the keys at the root of the event. Default is
dissect. When the target key already exists in the event, the processor won’t replace it and log an error; you need to either drop or rename the key before using dissect.
For tokenization to be successful, all keys must be found and extracted, if one of them cannot be found an error will be logged and no modification is done on the original event.
A key can contain any characters except reserved suffix or prefix modifiers: /,&, +
and ?.
See Conditions for a list of supported conditions.
Was this helpful?
Thank you for your feedback.