diff --git a/libbeat/docs/processors-using.asciidoc b/libbeat/docs/processors-using.asciidoc index 6b09db7505ca..7aa2e7bd57f0 100644 --- a/libbeat/docs/processors-using.asciidoc +++ b/libbeat/docs/processors-using.asciidoc @@ -1,25 +1,24 @@ [[defining-processors]] === Define processors -You define processors in the +{beatname_lc}.yml+ file to filter and enhance the -data before sending events to the configured output. - -To define a processor, you specify the processor name, an optional condition, -and a set of parameters: +You can use processors to filter and enhance data before sending it to the +configured output. To define a processor, you specify the processor name, an +optional condition, and a set of parameters: [source,yaml] ------ processors: - - : - - when: - - - : - - when: - -... +- : + when: + + + +- : + when: + + +... ------ Where: @@ -27,11 +26,134 @@ Where: * `` specifies a <> that performs some kind of action, such as selecting the fields that are exported or adding metadata to the event. -* `` specifies an optional <>. If the +* `` specifies an optional <>. If the condition is present, then the action is executed only if the condition is fulfilled. If no condition is passed, then the action is always executed. * `` is the list of parameters to pass to the processor. + +[[where-valid]] +==== Where are processors valid? + +// TODO: ANY NEW BEATS THAT RE-USE THIS TOPIC NEED TO DEFINE processor-scope. + +ifeval::["{beatname_lc}"=="filebeat"] +:processor-scope: input +endif::[] + +ifeval::["{beatname_lc}"=="auditbeat" or "{beatname_lc}"=="metricbeat"] +:processor-scope: module +endif::[] + +ifeval::["{beatname_lc}"=="packetbeat"] +:processor-scope: protocol +endif::[] + +ifeval::["{beatname_lc}"=="heartbeat"] +:processor-scope: monitor +endif::[] + +ifeval::["{beatname_lc}"=="winlogbeat"] +:processor-scope: event log shipper +endif::[] + +Processors are valid: + +* At the top-level in the configuration. The processor is applied to all data +collected by {beatname_uc}. +* Under a specific {processor-scope}. The processor is applied to the data +collected for that {processor-scope}. For example: ++ +ifeval::["{beatname_lc}"=="filebeat"] +[source,yaml] +------ +- type: + processors: + - : + when: + + +... +------ ++ +Similarly, for {beatname_uc} modules, you can define processors under the +`input` section of the module definition. +endif::[] +ifeval::["{beatname_lc}"=="metricbeat"] +[source,yaml] +---- +- module: + metricsets: [""] + processors: + - : + when: + + +---- +endif::[] +ifeval::["{beatname_lc}"=="auditbeat"] +[source,yaml] +---- +auditbeat.modules: +- module: + processors: + - : + when: + + +---- +endif::[] +ifeval::["{beatname_lc}"=="packetbeat"] +[source,yaml] +---- +packetbeat.protocols: +- type: + processors: + - : + when: + + +---- + +* Under `packetbeat.flows`. The processor is applied to the data in +<>: ++ +[source,yaml] +---- +packetbeat.flows: + processors: + - : + when: + + +---- +endif::[] +ifeval::["{beatname_lc}"=="heartbeat"] +[source,yaml] +---- +heartbeat.monitors: +- type: + processors: + - : + when: + + +---- +endif::[] +ifeval::["{beatname_lc}"=="winlogbeat"] +[source,yaml] +---- +winlogbeat.event_logs: +- name: + processors: + - : + when: + + +---- +endif::[] + + [[processors]] ==== Processors