WARNING: Version 5.4 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Filtering and Enhancing the Exported Data
editFiltering and Enhancing the Exported Data
editYou can define processors in your configuration to process events before they are sent to the configured output.The libbeat library provides processors for:
- reducing the number of exported fields
- enhancing events with additional metadata
- performing additional processing and decoding
Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Packetbeat configuration file.
event -> processor 1 -> event1 -> processor 2 -> event2 ...
For example, the following configuration includes a subset of the Packetbeat DNS fields so that only the requests and their response codes are reported:
processors: - include_fields: fields: - bytes_in - bytes_out - ip - client_ip - dns.question.name - dns.question.etld_plus_one - dns.response_code
The filtered event would look something like this:
{ "@timestamp": "2016-03-28T14:48:21.732Z", "bytes_in": 32, "bytes_out": 48, "client_ip": "192.168.10.111", "dns": { "question": { "etld_plus_one": "google.com.", "name": "www.google.com." }, "response_code": "NOERROR" }, "ip": "8.8.8.8", "type": "dns" }
If you would like to drop all the successful transactions, you can use the following configuration:
processors: - drop_event: when: equals: http.response.code: 200
If you don’t want to export raw data for the successful transactions:
processors: - drop_fields: when: equals: http.response.code: 200 fields: ["request", "response"]
See Processors for more information.