- Auditbeat Reference: other versions:
- Auditbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Auditbeat
- Configure
- Modules
- General settings
- Project paths
- Config file reloading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_session_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- syslog
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- Feature flags
- auditbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Understand logged metrics
- Common problems
- Auditbeat fails to watch folders because too many files are open
- Auditbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Contribute to Beats
Append Processor
editAppend Processor
editThe append
processor appends one or more values to an existing array if the target field already exists and it is an array. Converts a scaler to an array and appends one or more values to it if the field exists and it is a scaler. Here the values can either be one or more static values or one or more values from the fields listed under fields key.
-
target_field
- The field in which you want to append the data.
-
fields
- (Optional) List of fields from which you want to copy data from. If the value is of a concrete type it will be appended directly to the target. However, if the value is an array, all the elements of the array are pushed individually to the target field.
-
values
- (Optional) List of static values you want to append to target field.
-
ignore_empty_values
-
(Optional) If set to
true
, all the""
andnil
are omitted from being appended to the target field. -
fail_on_error
-
(Optional) If set to
true
and an error occurs, the changes are reverted and the original is returned. If set tofalse
, processing continues if an error occurs. Default istrue
. -
allow_duplicate
-
(Optional) If set to
false
, the processor does not append values already present in the field. The default istrue
, which will append duplicate values in the array. -
ignore_missing
-
(Optional) Indicates whether to ignore events that lack the source
field. The default is
false
, which will fail processing of an event if a field is missing.
note: If you want to use fields
parameter with fields under message
, make sure you use decode_json_fields
first with target: ""
.
For example, this configuration:
processors: - decode_json_fields: fields: message target: "" - append: target_field: target-field fields: - concrete.field - array.one values: - static-value - "" ignore_missing: true fail_on_error: true ignore_empty_values: true
Copies the values of concrete.field
, array.one
response fields and the static values to target-field
:
{ "concrete": { "field": "val0" }, "array": { "one": [ "val1", "val2" ] }, "target-field": [ "val0", "val1", "val2", "static-value" ] }
Was this helpful?
Thank you for your feedback.