- Fleet and Elastic Agent Guide: other versions:
- Fleet and Elastic Agent overview
- Beats and Elastic Agent capabilities
- Quick starts
- Migrate from Beats to Elastic Agent
- Set up Fleet Server
- Install Elastic Agents
- Install Fleet-managed Elastic Agents
- Install standalone Elastic Agents (advanced users)
- Install Elastic Agents in a containerized environment
- Installation layout
- Air-gapped environments
- Use a proxy server with Elastic Agent and Fleet
- Uninstall Elastic Agents from edge hosts
- Start and stop Elastic Agents on edge hosts
- Elastic Agent configuration encryption
- Secure connections
- Manage Elastic Agents in Fleet
- Manage integrations
- Configure standalone Elastic Agents
- Define processors
- Processor syntax
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- parse_aws_vpc_flow_log
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Command reference
- Troubleshoot
- Release notes
Replace fields from events
editReplace fields from events
editThe replace
processor takes a list of fields to search for a matching
value and replaces the matching value with a specified string.
The replace
processor cannot be used to create a completely new value.
You can use this processor to truncate a field value or replace it with a new string value. You can also use this processor to mask PII information.
Example
editThe following example changes the path from /usr/bin
to /usr/local/bin
:
- replace: fields: - field: "file.path" pattern: "/usr/" replacement: "/usr/local/" ignore_missing: false fail_on_error: true
Configuration settings
editElastic Agent processors execute before ingest pipelines, which means that your processor configurations cannot refer to fields that are created by ingest pipelines or Logstash. For more limitations, refer to What are some limitations of using processors?
Name | Required | Default | Description |
---|---|---|---|
|
Yes |
List of one or more items. Each item contains a
|
|
|
No |
|
Whether to ignore missing fields. If |
|
No |
|
Whether to fail replacement of field values if an error occurs.
If |
See Conditions for a list of supported conditions.
On this page