Script Processor
editScript Processor
editThe script
processor executes Javascript code to process an event. The processor
uses a pure Go implementation of ECMAScript 5.1 and has no external
dependencies. This can be useful in situations where one of the other processors
doesn’t provide the functionality you need to filter events.
The processor can be configured by embedding Javascript in your configuration file or by pointing the processor at external files.
Examples
edit- script: lang: javascript source: > function process(event) { event.Tag("js"); }
This example loads filter.js
from disk:
- script: lang: javascript file: ${path.config}/filter.js
Parameters can be passed to the script by adding params
to the config.
This allows for a script to be made reusable. When using params
the
code must define a register(params)
function to receive the parameters.
- script: lang: javascript tag: my_filter params: threshold: 15 source: > var params = {threshold: 42}; function register(scriptParams) { params = scriptParams; } function process(event) { if (event.Get("severity") < params.threshold) { event.Cancel(); } }
If the script defines a test()
function, it will be invoked when the processor
is loaded. Any exceptions thrown will cause the processor to fail to load. This
can be used to make assertions about the behavior of the script.
function process(event) { if (event.Get("event.code") === 1102) { event.Put("event.action", "cleared"); } return event; } function test() { var event = process(new Event({event: {code: 1102}})); if (event.Get("event.action") !== "cleared") { throw "expected event.action === cleared"; } }
Configuration settings
editElastic Agent processors execute before ingest pipelines, which means that they process the raw event data rather than the final event sent to Elasticsearch. For related limitations, refer to What are some limitations of using processors?
Name | Required | Default | Description |
---|---|---|---|
|
Yes |
The value of this field must be |
|
|
No |
Optional identifier added to log messages. If defined, this tag enables metrics logging for this instance of the processor. The metrics include the number of exceptions and a histogram of the execution times for the |
|
|
Inline Javascript source code. |
||
|
Path to a script file to load. Relative paths are interpreted as relative to the |
||
|
List of script files to load. The scripts are concatenated together. Relative paths are interpreted as relative to the |
||
|
A dictionary of parameters that are passed to the |
||
|
|
Tag to add to events in case the Javascript code causes an exception while processing an event. |
|
|
no timeout |
An execution timeout for the |
|
|
|
The maximum number of Javascript VM sessions that will be cached to avoid reallocation. |
Event API
editThe Event
object passed to the process
method has the following API.
Method | Description |
---|---|
|
Get a value from the event (either a scalar or an object). If the key does not
exist Example: |
|
Put a value into the event. If the key was already set then the previous value is returned. It throws an exception if the key cannot be set because one of the intermediate values is not an object. Example: |
|
Rename a key in the event. The target key must not exist. It returns true if the source key was successfully renamed to the target key. Example: |
|
Delete a field from the event. It returns true on success. Example: |
|
Flag the event as cancelled which causes the processor to drop event. Example: |
|
Append a tag to the Example: |
|
Example: |