NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
Filter and Enhance the exported data
editFilter and Enhance the exported data
editYou can define processors in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:
- reducing the number of exported fields
- enhancing events with additional metadata
- performing additional processing and decoding
Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Winlogbeat configuration file.
event -> processor 1 -> event1 -> processor 2 -> event2 ...
For example, the following filter configuration drops a few fields that are rarely used (provider_guid
, process_id
, thread_id
, and version
) and one nested field, event_data.ErrorSourceTable
:
processors: - drop_fields: fields: [provider_guid, process_id, thread_id, version, event_data.ErrorSourceTable]