IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Rename fields from events Script Processor »
Elastic Docs Fleet and Elastic Agent Guide [8.8] Define processors

Replace fields from events

edit

Replace fields from events

edit

The replace processor takes a list of fields to search for a matching value and replaces the matching value with a specified string.

The replace processor cannot be used to create a completely new value.

You can use this processor to truncate a field value or replace it with a new string value. You can also use this processor to mask PII information.

Example

edit

The following example changes the path from /usr/bin to /usr/local/bin:

  - replace:
      fields:
        - field: "file.path"
          pattern: "/usr/"
          replacement: "/usr/local/"
      ignore_missing: false
      fail_on_error: true

Configuration settings

edit

Elastic Agent processors execute before ingest pipelines, which means that your processor configurations cannot refer to fields that are created by ingest pipelines or Logstash. For more limitations, refer to What are some limitations of using processors?

Name Required Default Description

fields

Yes

List of one or more items. Each item contains a field: field-name, pattern: regex-pattern, and replacement: replacement-string, where:

  • field is the original field name. You can use the @metadata. prefix in this field to replace values in the event metadata instead of event fields.
  • pattern is the regex pattern to match the field’s value
  • replacement is the replacement string to use to update the field’s value

ignore_missing

No

false

Whether to ignore missing fields. If true, no error is logged if the specified field is missing.

fail_on_error

No

true

Whether to fail replacement of field values if an error occurs. If true and there’s an error, the replacement of field values is stopped, and the original event is returned. If false, replacement continues even if an error occurs during replacement.

See Conditions for a list of supported conditions.

« Rename fields from events Script Processor »