diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index 08e574b193c..716d0fbc2c2 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -243,151 +243,151 @@ auditbeat.modules: # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ================================== diff --git a/filebeat/docs/filebeat-filtering.asciidoc b/filebeat/docs/filebeat-filtering.asciidoc index 87eaf2ce72e..b0d7efab0dc 100644 --- a/filebeat/docs/filebeat-filtering.asciidoc +++ b/filebeat/docs/filebeat-filtering.asciidoc @@ -37,10 +37,10 @@ The following configuration drops all the DEBUG messages. [source,yaml] ----------------------------------------------------- processors: - - drop_event: - when: + - drop_event: + when: regexp: - message: "^DBG:" + message: "^DBG:" ----------------------------------------------------- To drop all the log messages coming from a certain log file: @@ -48,10 +48,10 @@ To drop all the log messages coming from a certain log file: [source,yaml] ---------------- processors: - - drop_event: - when: + - drop_event: + when: contains: - source: "test" + source: "test" ---------------- [float] diff --git a/filebeat/docs/kubernetes-default-indexers-matchers.asciidoc b/filebeat/docs/kubernetes-default-indexers-matchers.asciidoc index 3d7f8655cc6..287b3bdbb3c 100644 --- a/filebeat/docs/kubernetes-default-indexers-matchers.asciidoc +++ b/filebeat/docs/kubernetes-default-indexers-matchers.asciidoc @@ -8,7 +8,7 @@ configuration: [source,yaml] ------------------------------------------------------------------------------- processors: -- add_kubernetes_metadata: - default_indexers.enabled: false - default_matchers.enabled: false + - add_kubernetes_metadata: + default_indexers.enabled: false + default_matchers.enabled: false ------------------------------------------------------------------------------- diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 3b69c85af3d..31e4d3eaa92 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -949,151 +949,151 @@ filebeat.inputs: # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ================================== diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index 462edb4c2a5..baae1a24d27 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -394,151 +394,151 @@ heartbeat.scheduler: # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ================================== diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml index fad9ced1a23..bd9cad66a87 100644 --- a/journalbeat/journalbeat.reference.yml +++ b/journalbeat/journalbeat.reference.yml @@ -181,151 +181,151 @@ setup.template.settings: # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ================================== diff --git a/libbeat/_meta/config.reference.yml.tmpl b/libbeat/_meta/config.reference.yml.tmpl index b1de080da82..64a3a81566b 100644 --- a/libbeat/_meta/config.reference.yml.tmpl +++ b/libbeat/_meta/config.reference.yml.tmpl @@ -124,151 +124,151 @@ # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ================================== diff --git a/libbeat/docs/processors-list.asciidoc b/libbeat/docs/processors-list.asciidoc index 169657aecc4..5dd95e2e3d5 100644 --- a/libbeat/docs/processors-list.asciidoc +++ b/libbeat/docs/processors-list.asciidoc @@ -95,12 +95,12 @@ endif::[] ifndef::no_timestamp_processor[] * <> endif::[] -ifndef::no_truncate_fields_processor[] -* <> -endif::[] ifndef::no_translate_sid_processor[] * <> endif::[] +ifndef::no_truncate_fields_processor[] +* <> +endif::[] ifndef::no_urldecode_processor[] * <> endif::[] @@ -201,12 +201,12 @@ endif::[] ifndef::no_timestamp_processor[] include::{libbeat-processors-dir}/timestamp/docs/timestamp.asciidoc[] endif::[] -ifndef::no_truncate_fields_processor[] -include::{libbeat-processors-dir}/actions/docs/truncate_fields.asciidoc[] -endif::[] ifndef::no_translate_sid_processor[] include::{libbeat-processors-dir}/translate_sid/docs/translate_sid.asciidoc[] endif::[] +ifndef::no_truncate_fields_processor[] +include::{libbeat-processors-dir}/actions/docs/truncate_fields.asciidoc[] +endif::[] ifndef::no_urldecode_processor[] include::{libbeat-processors-dir}/urldecode/docs/urldecode.asciidoc[] endif::[] diff --git a/libbeat/docs/processors-using.asciidoc b/libbeat/docs/processors-using.asciidoc index 00ede87fbb4..857346135ee 100644 --- a/libbeat/docs/processors-using.asciidoc +++ b/libbeat/docs/processors-using.asciidoc @@ -8,15 +8,15 @@ optional condition, and a set of parameters: [source,yaml] ------ processors: -- : - when: - - + - : + when: + + -- : - when: - - + - : + when: + + ... ------ @@ -38,20 +38,20 @@ executed based on a single condition. [source,yaml] ---- processors: -- if: - - then: <1> - - : - - - : - - ... - else: <2> - - : - - - : - - ... + - if: + + then: <1> + - : + + - : + + ... + else: <2> + - : + + - : + + ... ---- <1> `then` must contain a single processor or a list of one or more processors to execute when the condition evaluates to true. @@ -99,10 +99,10 @@ ifeval::["{beatname_lc}"=="filebeat"] ------ - type: processors: - - : - when: - - + - : + when: + + ... ------ + @@ -116,10 +116,10 @@ ifeval::["{beatname_lc}"=="metricbeat"] - module: metricsets: [""] processors: - - : - when: - - + - : + when: + + ---- endif::[] ifeval::["{beatname_lc}"=="auditbeat"] @@ -129,10 +129,10 @@ ifeval::["{beatname_lc}"=="auditbeat"] auditbeat.modules: - module: processors: - - : - when: - - + - : + when: + + ---- endif::[] ifeval::["{beatname_lc}"=="packetbeat"] @@ -142,10 +142,10 @@ ifeval::["{beatname_lc}"=="packetbeat"] packetbeat.protocols: - type: processors: - - : - when: - - + - : + when: + + ---- * Under `packetbeat.flows`. The processor is applied to the data in @@ -155,10 +155,10 @@ packetbeat.protocols: ---- packetbeat.flows: processors: - - : - when: - - + - : + when: + + ---- endif::[] ifeval::["{beatname_lc}"=="heartbeat"] @@ -168,10 +168,10 @@ ifeval::["{beatname_lc}"=="heartbeat"] heartbeat.monitors: - type: processors: - - : - when: - - + - : + when: + + ---- endif::[] ifeval::["{beatname_lc}"=="winlogbeat"] @@ -181,10 +181,10 @@ ifeval::["{beatname_lc}"=="winlogbeat"] winlogbeat.event_logs: - name: processors: - - : - when: - - + - : + when: + + ---- endif::[] @@ -285,8 +285,8 @@ comparing the `http.response.code` field with 400. [source,yaml] ------ range: - http.response.code: - gte: 400 + http.response.code: + gte: 400 ------ This can also be written as: @@ -294,7 +294,7 @@ This can also be written as: [source,yaml] ---- range: - http.response.code.gte: 400 + http.response.code.gte: 400 ---- The following condition checks if the CPU usage in percentage has a value @@ -303,8 +303,8 @@ between 0.5 and 0.8. [source,yaml] ------ range: - system.cpu.user.pct.gte: 0.5 - system.cpu.user.pct.lt: 0.8 + system.cpu.user.pct.gte: 0.5 + system.cpu.user.pct.lt: 0.8 ------ [float] @@ -339,7 +339,7 @@ private address space. [source,yaml] ---- network: - source.ip: private + source.ip: private ---- This condition returns true if the `destination.ip` value is within the @@ -348,7 +348,7 @@ IPv4 range of `192.168.1.0` - `192.168.1.255`. [source,yaml] ---- network: - destination.ip: '192.168.1.0/24' + destination.ip: '192.168.1.0/24' ---- And this condition returns true when `destination.ip` is within any of the given @@ -357,7 +357,7 @@ subnets. [source,yaml] ---- network: - destination.ip: ['192.168.1.0/24', '10.0.0.0/8', loopback] + destination.ip: ['192.168.1.0/24', '10.0.0.0/8', loopback] ---- [float] @@ -438,8 +438,8 @@ To configure a condition like ` OR AND `: [source,yaml] ------ or: - - - - and: + - + - and: - - diff --git a/libbeat/docs/shared-deduplication.asciidoc b/libbeat/docs/shared-deduplication.asciidoc index 997f12c488b..eec45caaf97 100644 --- a/libbeat/docs/shared-deduplication.asciidoc +++ b/libbeat/docs/shared-deduplication.asciidoc @@ -73,11 +73,11 @@ from the JSON string and stores it in the `@metadata._id` field: [source,yaml] ---- processors: - - decode_json_fields: - document_id: "myid" - fields: ["message"] - max_depth: 1 - target: "" + - decode_json_fields: + document_id: "myid" + fields: ["message"] + max_depth: 1 + target: "" ---- + The resulting document ID is `100`. diff --git a/libbeat/processors/actions/docs/add_fields.asciidoc b/libbeat/processors/actions/docs/add_fields.asciidoc index dcf54ef842b..b133d2115c8 100644 --- a/libbeat/processors/actions/docs/add_fields.asciidoc +++ b/libbeat/processors/actions/docs/add_fields.asciidoc @@ -21,11 +21,11 @@ For example, this configuration: [source,yaml] ------------------------------------------------------------------------------ processors: -- add_fields: - target: project - fields: - name: myproject - id: '574734885120952459' + - add_fields: + target: project + fields: + name: myproject + id: '574734885120952459' ------------------------------------------------------------------------------ Adds these fields to any event: diff --git a/libbeat/processors/actions/docs/add_labels.asciidoc b/libbeat/processors/actions/docs/add_labels.asciidoc index fca768228bf..9e87ea05088 100644 --- a/libbeat/processors/actions/docs/add_labels.asciidoc +++ b/libbeat/processors/actions/docs/add_labels.asciidoc @@ -18,16 +18,16 @@ For example, this configuration: [source,yaml] ------------------------------------------------------------------------------ processors: -- add_labels: - labels: - number: 1 - with.dots: test - nested: - with.dots: nested - array: - - do - - re - - with.field: mi + - add_labels: + labels: + number: 1 + with.dots: test + nested: + with.dots: nested + array: + - do + - re + - with.field: mi ------------------------------------------------------------------------------ Adds these fields to every event: diff --git a/libbeat/processors/actions/docs/add_tags.asciidoc b/libbeat/processors/actions/docs/add_tags.asciidoc index c6015e749f5..e338d246668 100644 --- a/libbeat/processors/actions/docs/add_tags.asciidoc +++ b/libbeat/processors/actions/docs/add_tags.asciidoc @@ -17,9 +17,9 @@ For example, this configuration: [source,yaml] ------------------------------------------------------------------------------ processors: -- add_tags: - tags: [web, production] - target: "environment" + - add_tags: + tags: [web, production] + target: "environment" ------------------------------------------------------------------------------ Adds the environment field to every event: diff --git a/libbeat/processors/actions/docs/copy_fields.asciidoc b/libbeat/processors/actions/docs/copy_fields.asciidoc index ae3816bbce9..c958d3c6e82 100644 --- a/libbeat/processors/actions/docs/copy_fields.asciidoc +++ b/libbeat/processors/actions/docs/copy_fields.asciidoc @@ -20,12 +20,12 @@ For example, this configuration: [source,yaml] ------------------------------------------------------------------------------ processors: -- copy_fields: - fields: - - from: message - to: event.original - fail_on_error: false - ignore_missing: true + - copy_fields: + fields: + - from: message + to: event.original + fail_on_error: false + ignore_missing: true ------------------------------------------------------------------------------ Copies the original `message` field to `event.original`: diff --git a/libbeat/processors/actions/docs/decode_base64_field.asciidoc b/libbeat/processors/actions/docs/decode_base64_field.asciidoc index 17912cca1b7..a0c413006ef 100644 --- a/libbeat/processors/actions/docs/decode_base64_field.asciidoc +++ b/libbeat/processors/actions/docs/decode_base64_field.asciidoc @@ -15,12 +15,12 @@ processor to drop the field and then rename the field. [source,yaml] ------- processors: -- decode_base64_field: - field: - from: "field1" - to: "field2" - ignore_missing: false - fail_on_error: true + - decode_base64_field: + field: + from: "field1" + to: "field2" + ignore_missing: false + fail_on_error: true ------- In the example above: diff --git a/libbeat/processors/actions/docs/decode_json_fields.asciidoc b/libbeat/processors/actions/docs/decode_json_fields.asciidoc index 6c57dac73ba..c5aa15c2a3c 100644 --- a/libbeat/processors/actions/docs/decode_json_fields.asciidoc +++ b/libbeat/processors/actions/docs/decode_json_fields.asciidoc @@ -11,13 +11,13 @@ replaces the strings with valid JSON objects. [source,yaml] ----------------------------------------------------- processors: - - decode_json_fields: - fields: ["field1", "field2", ...] - process_array: false - max_depth: 1 - target: "" - overwrite_keys: false - add_error_key: true + - decode_json_fields: + fields: ["field1", "field2", ...] + process_array: false + max_depth: 1 + target: "" + overwrite_keys: false + add_error_key: true ----------------------------------------------------- The `decode_json_fields` processor has the following configuration settings: diff --git a/libbeat/processors/actions/docs/decompress_gzip_field.asciidoc b/libbeat/processors/actions/docs/decompress_gzip_field.asciidoc index 44ba25f7888..102244fd29b 100644 --- a/libbeat/processors/actions/docs/decompress_gzip_field.asciidoc +++ b/libbeat/processors/actions/docs/decompress_gzip_field.asciidoc @@ -15,12 +15,12 @@ processor to drop the field and then rename the field. [source,yaml] ------- processors: -- decompress_gzip_field: - field: - from: "field1" - to: "field2" - ignore_missing: false - fail_on_error: true + - decompress_gzip_field: + field: + from: "field1" + to: "field2" + ignore_missing: false + fail_on_error: true ------- In the example above: diff --git a/libbeat/processors/actions/docs/drop_event.asciidoc b/libbeat/processors/actions/docs/drop_event.asciidoc index 01016fc6290..5dba8ec24bb 100644 --- a/libbeat/processors/actions/docs/drop_event.asciidoc +++ b/libbeat/processors/actions/docs/drop_event.asciidoc @@ -12,8 +12,8 @@ are dropped. [source,yaml] ------ processors: - - drop_event: - when: + - drop_event: + when: condition ------ diff --git a/libbeat/processors/actions/docs/drop_fields.asciidoc b/libbeat/processors/actions/docs/drop_fields.asciidoc index 865da6549fb..9e543ea376a 100644 --- a/libbeat/processors/actions/docs/drop_fields.asciidoc +++ b/libbeat/processors/actions/docs/drop_fields.asciidoc @@ -13,11 +13,11 @@ be dropped, even if they show up in the `drop_fields` list. [source,yaml] ----------------------------------------------------- processors: - - drop_fields: - when: + - drop_fields: + when: condition - fields: ["field1", "field2", ...] - ignore_missing: false + fields: ["field1", "field2", ...] + ignore_missing: false ----------------------------------------------------- See <> for a list of supported conditions. diff --git a/libbeat/processors/actions/docs/include_fields.asciidoc b/libbeat/processors/actions/docs/include_fields.asciidoc index 9fbc620dfbd..86b2c70e6ff 100644 --- a/libbeat/processors/actions/docs/include_fields.asciidoc +++ b/libbeat/processors/actions/docs/include_fields.asciidoc @@ -13,10 +13,10 @@ always exported, even if they are not defined in the `include_fields` list. [source,yaml] ------- processors: - - include_fields: - when: + - include_fields: + when: condition - fields: ["field1", "field2", ...] + fields: ["field1", "field2", ...] ------- See <> for a list of supported conditions. diff --git a/libbeat/processors/actions/docs/rename.asciidoc b/libbeat/processors/actions/docs/rename.asciidoc index 81d098c7d2b..29d1495a8d2 100644 --- a/libbeat/processors/actions/docs/rename.asciidoc +++ b/libbeat/processors/actions/docs/rename.asciidoc @@ -25,12 +25,12 @@ before assigning values. [source,yaml] ------- processors: -- rename: - fields: - - from: "a.g" - to: "e.d" - ignore_missing: false - fail_on_error: true + - rename: + fields: + - from: "a.g" + to: "e.d" + ignore_missing: false + fail_on_error: true ------- The `rename` processor has the following configuration settings: diff --git a/libbeat/processors/actions/docs/replace.asciidoc b/libbeat/processors/actions/docs/replace.asciidoc index 3faf3e0bcce..b833e2e84bb 100644 --- a/libbeat/processors/actions/docs/replace.asciidoc +++ b/libbeat/processors/actions/docs/replace.asciidoc @@ -24,13 +24,13 @@ Following example will change path from /usr/bin to /usr/local/bin [source,yaml] ------- processors: -- replace: - fields: - - field: "file.path" - pattern: "/usr/" - replacement: "/usr/local/" - ignore_missing: false - fail_on_error: true + - replace: + fields: + - field: "file.path" + pattern: "/usr/" + replacement: "/usr/local/" + ignore_missing: false + fail_on_error: true ------- The `replace` processor has following configuration settings: diff --git a/libbeat/processors/actions/docs/truncate_fields.asciidoc b/libbeat/processors/actions/docs/truncate_fields.asciidoc index a9726818672..58ddc6ed3da 100644 --- a/libbeat/processors/actions/docs/truncate_fields.asciidoc +++ b/libbeat/processors/actions/docs/truncate_fields.asciidoc @@ -23,10 +23,10 @@ For example, this configuration truncates the field named `message` to 5 charact [source,yaml] ------------------------------------------------------------------------------ processors: -- truncate_fields: - fields: - - message - max_characters: 5 - fail_on_error: false - ignore_missing: true + - truncate_fields: + fields: + - message + max_characters: 5 + fail_on_error: false + ignore_missing: true ------------------------------------------------------------------------------ diff --git a/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc b/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc index d17fd326b87..9a5fcfcbf91 100644 --- a/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc +++ b/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc @@ -28,7 +28,7 @@ The simple configuration below enables the processor. [source,yaml] ------------------------------------------------------------------------------- processors: -- add_cloud_metadata: ~ + - add_cloud_metadata: ~ ------------------------------------------------------------------------------- The `add_cloud_metadata` processor has three optional configuration settings. diff --git a/libbeat/processors/add_docker_metadata/docs/add_docker_metadata.asciidoc b/libbeat/processors/add_docker_metadata/docs/add_docker_metadata.asciidoc index aa1229ff7cb..801437a4624 100644 --- a/libbeat/processors/add_docker_metadata/docs/add_docker_metadata.asciidoc +++ b/libbeat/processors/add_docker_metadata/docs/add_docker_metadata.asciidoc @@ -34,20 +34,20 @@ running as non-root inside the container. [source,yaml] ------------------------------------------------------------------------------- processors: -- add_docker_metadata: - host: "unix:///var/run/docker.sock" - #match_fields: ["system.process.cgroup.id"] - #match_pids: ["process.pid", "process.ppid"] - #match_source: true - #match_source_index: 4 - #match_short_id: true - #cleanup_timeout: 60 - #labels.dedot: false - # To connect to Docker over TLS you must specify a client and CA certificate. - #ssl: - # certificate_authority: "/etc/pki/root/ca.pem" - # certificate: "/etc/pki/client/cert.pem" - # key: "/etc/pki/client/cert.key" + - add_docker_metadata: + host: "unix:///var/run/docker.sock" + #match_fields: ["system.process.cgroup.id"] + #match_pids: ["process.pid", "process.ppid"] + #match_source: true + #match_source_index: 4 + #match_short_id: true + #cleanup_timeout: 60 + #labels.dedot: false + # To connect to Docker over TLS you must specify a client and CA certificate. + #ssl: + # certificate_authority: "/etc/pki/root/ca.pem" + # certificate: "/etc/pki/client/cert.pem" + # key: "/etc/pki/client/cert.key" ------------------------------------------------------------------------------- It has the following settings: diff --git a/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc b/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc index 4a651548ff6..0c71f10d200 100644 --- a/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc +++ b/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc @@ -8,16 +8,16 @@ [source,yaml] ------------------------------------------------------------------------------- processors: -- add_host_metadata: - cache.ttl: 5m - geo: - name: nyc-dc1-rack1 - location: 40.7128, -74.0060 - continent_name: North America - country_iso_code: US - region_name: New York - region_iso_code: NY - city_name: New York + - add_host_metadata: + cache.ttl: 5m + geo: + name: nyc-dc1-rack1 + location: 40.7128, -74.0060 + continent_name: North America + country_iso_code: US + region_name: New York + region_iso_code: NY + city_name: New York ------------------------------------------------------------------------------- It has the following settings: diff --git a/libbeat/processors/add_id/docs/add_id.asciidoc b/libbeat/processors/add_id/docs/add_id.asciidoc index a68d3e96123..1a051d6b29a 100644 --- a/libbeat/processors/add_id/docs/add_id.asciidoc +++ b/libbeat/processors/add_id/docs/add_id.asciidoc @@ -10,7 +10,7 @@ The `add_id` processor generates a unique ID for an event. [source,yaml] ----------------------------------------------------- processors: - - add_id: ~ + - add_id: ~ ----------------------------------------------------- The following settings are supported: diff --git a/libbeat/processors/add_kubernetes_metadata/docs/add_kubernetes_metadata.asciidoc b/libbeat/processors/add_kubernetes_metadata/docs/add_kubernetes_metadata.asciidoc index a46120a281c..a862ba42262 100644 --- a/libbeat/processors/add_kubernetes_metadata/docs/add_kubernetes_metadata.asciidoc +++ b/libbeat/processors/add_kubernetes_metadata/docs/add_kubernetes_metadata.asciidoc @@ -56,7 +56,7 @@ Kubernetes. [source,yaml] ------------------------------------------------------------------------------- processors: -- add_kubernetes_metadata: + - add_kubernetes_metadata: ------------------------------------------------------------------------------- The configuration below enables the processor on a Beat running as a process on @@ -65,11 +65,11 @@ the Kubernetes node. [source,yaml] ------------------------------------------------------------------------------- processors: -- add_kubernetes_metadata: - host: - # If kube_config is not set, KUBECONFIG environment variable will be checked - # and if not present it will fall back to InCluster - kube_config: ${HOME}/.kube/config + - add_kubernetes_metadata: + host: + # If kube_config is not set, KUBECONFIG environment variable will be checked + # and if not present it will fall back to InCluster + kube_config: ${HOME}/.kube/config ------------------------------------------------------------------------------- The configuration below has the default indexers and matchers disabled and @@ -78,18 +78,18 @@ enables ones that the user is interested in. [source,yaml] ------------------------------------------------------------------------------- processors: -- add_kubernetes_metadata: - host: - # If kube_config is not set, KUBECONFIG environment variable will be checked - # and if not present it will fall back to InCluster - kube_config: ~/.kube/config - default_indexers.enabled: false - default_matchers.enabled: false - indexers: - - ip_port: - matchers: - - fields: - lookup_fields: ["metricset.host"] + - add_kubernetes_metadata: + host: + # If kube_config is not set, KUBECONFIG environment variable will be checked + # and if not present it will fall back to InCluster + kube_config: ~/.kube/config + default_indexers.enabled: false + default_matchers.enabled: false + indexers: + - ip_port: + matchers: + - fields: + lookup_fields: ["metricset.host"] ------------------------------------------------------------------------------- The `add_kubernetes_metadata` processor has the following configuration settings: diff --git a/libbeat/processors/add_locale/docs/add_locale.asciidoc b/libbeat/processors/add_locale/docs/add_locale.asciidoc index 82c502cf0ac..a1a0455a69f 100644 --- a/libbeat/processors/add_locale/docs/add_locale.asciidoc +++ b/libbeat/processors/add_locale/docs/add_locale.asciidoc @@ -16,7 +16,7 @@ The configuration below enables the processor with the default settings. [source,yaml] ------------------------------------------------------------------------------- processors: -- add_locale: ~ + - add_locale: ~ ------------------------------------------------------------------------------- This configuration enables the processor and configures it to add the time zone @@ -25,8 +25,8 @@ abbreviation to events. [source,yaml] ------------------------------------------------------------------------------- processors: -- add_locale: - format: abbreviation + - add_locale: + format: abbreviation ------------------------------------------------------------------------------- NOTE: Please note that `add_locale` differentiates between daylight savings diff --git a/libbeat/processors/add_observer_metadata/docs/add_observer_metadata.asciidoc b/libbeat/processors/add_observer_metadata/docs/add_observer_metadata.asciidoc index 701e90741e0..ae98fa39dc5 100644 --- a/libbeat/processors/add_observer_metadata/docs/add_observer_metadata.asciidoc +++ b/libbeat/processors/add_observer_metadata/docs/add_observer_metadata.asciidoc @@ -10,16 +10,16 @@ beta[] [source,yaml] ------------------------------------------------------------------------------- processors: -- add_observer_metadata: - cache.ttl: 5m - geo: - name: nyc-dc1-rack1 - location: 40.7128, -74.0060 - continent_name: North America - country_iso_code: US - region_name: New York - region_iso_code: NY - city_name: New York + - add_observer_metadata: + cache.ttl: 5m + geo: + name: nyc-dc1-rack1 + location: 40.7128, -74.0060 + continent_name: North America + country_iso_code: US + region_name: New York + region_iso_code: NY + city_name: New York ------------------------------------------------------------------------------- It has the following settings: diff --git a/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc b/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc index d3e71dca920..34b5c07d6b4 100644 --- a/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc +++ b/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc @@ -11,9 +11,9 @@ processes, identified by their process ID (PID). [source,yaml] ------------------------------------------------------------------------------- processors: -- add_process_metadata: - match_pids: [system.process.ppid] - target: system.process.parent + - add_process_metadata: + match_pids: [system.process.ppid] + target: system.process.parent ------------------------------------------------------------------------------- The fields added to the event look as follows: diff --git a/libbeat/processors/decode_csv_fields/docs/decode_csv_fields.asciidoc b/libbeat/processors/decode_csv_fields/docs/decode_csv_fields.asciidoc index ead8551bca3..53cc3787543 100644 --- a/libbeat/processors/decode_csv_fields/docs/decode_csv_fields.asciidoc +++ b/libbeat/processors/decode_csv_fields/docs/decode_csv_fields.asciidoc @@ -14,14 +14,14 @@ This processor is available for Filebeat and Journalbeat. [source,yaml] ----------------------------------------------------- processors: - - decode_csv_fields: - fields: + - decode_csv_fields: + fields: message: decoded.csv - separator: "," - ignore_missing: false - overwrite_keys: true - trim_leading_space: false - fail_on_error: true + separator: "," + ignore_missing: false + overwrite_keys: true + trim_leading_space: false + fail_on_error: true ----------------------------------------------------- The `decode_csv_fields` has the following settings: diff --git a/libbeat/processors/dns/docs/dns.asciidoc b/libbeat/processors/dns/docs/dns.asciidoc index a6f92101033..b75fb8bf87a 100644 --- a/libbeat/processors/dns/docs/dns.asciidoc +++ b/libbeat/processors/dns/docs/dns.asciidoc @@ -30,11 +30,11 @@ in two fields. [source,yaml] ---- processors: -- dns: - type: reverse - fields: - source.ip: source.hostname - destination.ip: destination.hostname + - dns: + type: reverse + fields: + source.ip: source.hostname + destination.ip: destination.hostname ---- Next is a configuration example showing all options. diff --git a/libbeat/processors/extract_array/docs/extract_array.asciidoc b/libbeat/processors/extract_array/docs/extract_array.asciidoc index e30bf5c3d3c..0384a05dcca 100644 --- a/libbeat/processors/extract_array/docs/extract_array.asciidoc +++ b/libbeat/processors/extract_array/docs/extract_array.asciidoc @@ -15,9 +15,9 @@ the `my_array` field, `destination.ip` with the second element, and [source,yaml] ----------------------------------------------------- processors: - - extract_array: - field: my_array - mappings: + - extract_array: + field: my_array + mappings: source.ip: 0 destination.ip: 1 network.transport: 2 diff --git a/libbeat/processors/fingerprint/docs/fingerprint.asciidoc b/libbeat/processors/fingerprint/docs/fingerprint.asciidoc index 442fcfd8f7d..75509020c0a 100644 --- a/libbeat/processors/fingerprint/docs/fingerprint.asciidoc +++ b/libbeat/processors/fingerprint/docs/fingerprint.asciidoc @@ -11,8 +11,8 @@ specified subset of its fields. [source,yaml] ----------------------------------------------------- processors: - - fingerprint: - fields: ["field1", "field2", ...] + - fingerprint: + fields: ["field1", "field2", ...] ----------------------------------------------------- The following settings are supported: diff --git a/libbeat/processors/registered_domain/docs/registered_domain.asciidoc b/libbeat/processors/registered_domain/docs/registered_domain.asciidoc index 6e257954233..784811dca95 100644 --- a/libbeat/processors/registered_domain/docs/registered_domain.asciidoc +++ b/libbeat/processors/registered_domain/docs/registered_domain.asciidoc @@ -16,11 +16,11 @@ This processor uses the Mozilla Public Suffix list to determine the value. [source,yaml] ---- processors: -- registered_domain: - field: dns.question.name - target_field: dns.question.registered_domain - ignore_missing: true - ignore_failure: true + - registered_domain: + field: dns.question.name + target_field: dns.question.registered_domain + ignore_missing: true + ignore_failure: true ---- The `registered_domain` processor has the following configuration settings: diff --git a/libbeat/processors/script/docs/script.asciidoc b/libbeat/processors/script/docs/script.asciidoc index 2b89cbe3c8c..106a98a001b 100644 --- a/libbeat/processors/script/docs/script.asciidoc +++ b/libbeat/processors/script/docs/script.asciidoc @@ -16,13 +16,13 @@ file or by pointing the processor at external file(s). [source,yaml] ---- processors: -- script: - lang: javascript - id: my_filter - source: > - function process(event) { - event.Tag("js"); - } + - script: + lang: javascript + id: my_filter + source: > + function process(event) { + event.Tag("js"); + } ---- This loads `filter.js` from disk. @@ -30,10 +30,10 @@ This loads `filter.js` from disk. [source,yaml] ---- processors: -- script: - lang: javascript - id: my_filter - file: ${path.config}/filter.js + - script: + lang: javascript + id: my_filter + file: ${path.config}/filter.js ---- Parameters can be passed to the script by adding `params` to the config. @@ -43,21 +43,21 @@ code must define a `register(params)` function to receive the parameters. [source,yaml] ---- processors: -- script: - lang: javascript - id: my_filter - params: - threshold: 15 - source: > - var params = {threshold: 42}; - function register(scriptParams) { - params = scriptParams; - } - function process(event) { - if (event.Get("severity") < params.threshold) { - event.Cancel(); - } - } + - script: + lang: javascript + id: my_filter + params: + threshold: 15 + source: > + var params = {threshold: 42}; + function register(scriptParams) { + params = scriptParams; + } + function process(event) { + if (event.Get("severity") < params.threshold) { + event.Cancel(); + } + } ---- If the script defines a `test()` function it will be invoked when the processor diff --git a/libbeat/processors/timestamp/docs/timestamp.asciidoc b/libbeat/processors/timestamp/docs/timestamp.asciidoc index a8d569a9d9c..8c2ba6c0266 100644 --- a/libbeat/processors/timestamp/docs/timestamp.asciidoc +++ b/libbeat/processors/timestamp/docs/timestamp.asciidoc @@ -56,14 +56,14 @@ parse with this configuration. [source,yaml] ---- processors: -- timestamp: - field: start_time - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' -- drop_fields: - fields: [start_time] + - timestamp: + field: start_time + layouts: + - '2006-01-02T15:04:05Z' + - '2006-01-02T15:04:05.999Z' + test: + - '2019-06-22T16:33:51Z' + - '2019-11-18T04:59:51.123Z' + - drop_fields: + fields: [start_time] ---- diff --git a/libbeat/processors/translate_sid/docs/translate_sid.asciidoc b/libbeat/processors/translate_sid/docs/translate_sid.asciidoc index 68f7fd2542d..9878e0667c0 100644 --- a/libbeat/processors/translate_sid/docs/translate_sid.asciidoc +++ b/libbeat/processors/translate_sid/docs/translate_sid.asciidoc @@ -1,6 +1,10 @@ [[processor-translate-sid]] === Translate SID +++++ +translate_sid +++++ + beta[] The `translate_sid` processor translates a Windows security identifier (SID) @@ -19,12 +23,12 @@ unless `ignore_failure` is set. [source,yaml] ---- processors: -- translate_sid: - field: winlog.event_data.MemberSid - account_name_target: user.name - domain_target: user.domain - ignore_missing: true - ignore_failure: true + - translate_sid: + field: winlog.event_data.MemberSid + account_name_target: user.name + domain_target: user.domain + ignore_missing: true + ignore_failure: true ---- The `translate_sid` processor has the following configuration settings: diff --git a/libbeat/processors/urldecode/docs/urldecode.asciidoc b/libbeat/processors/urldecode/docs/urldecode.asciidoc index 6a544749d2c..427090627bf 100644 --- a/libbeat/processors/urldecode/docs/urldecode.asciidoc +++ b/libbeat/processors/urldecode/docs/urldecode.asciidoc @@ -14,12 +14,12 @@ key, each entry contains a `from: source-field` and a `to: target-field` pair, w [source,yaml] ------- processors: -- urldecode: - fields: - - from: "field1" - to: "field2" - ignore_missing: false - fail_on_error: true + - urldecode: + fields: + - from: "field1" + to: "field2" + ignore_missing: false + fail_on_error: true ------- In the example above: diff --git a/metricbeat/docs/kubernetes-default-indexers-matchers.asciidoc b/metricbeat/docs/kubernetes-default-indexers-matchers.asciidoc index 2e1e4dde705..c3bf974d53d 100644 --- a/metricbeat/docs/kubernetes-default-indexers-matchers.asciidoc +++ b/metricbeat/docs/kubernetes-default-indexers-matchers.asciidoc @@ -8,7 +8,7 @@ configuration: [source,yaml] ------------------------------------------------------------------------------- processors: -- add_kubernetes_metadata: - default_indexers.enabled: false - default_matchers.enabled: false + - add_kubernetes_metadata: + default_indexers.enabled: false + default_matchers.enabled: false ------------------------------------------------------------------------------- diff --git a/metricbeat/docs/metricbeat-filtering.asciidoc b/metricbeat/docs/metricbeat-filtering.asciidoc index c7ea4c353c5..096948238ea 100644 --- a/metricbeat/docs/metricbeat-filtering.asciidoc +++ b/metricbeat/docs/metricbeat-filtering.asciidoc @@ -13,8 +13,8 @@ dropping the `agent.name` and `agent.version` fields under `beat` from all docum [source, yaml] ---- processors: - - drop_fields: - fields: ['agent'] + - drop_fields: + fields: ['agent'] ---- include::{libbeat-dir}/processors-using.asciidoc[] diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index ce8bd6d7ada..aa0aac52e97 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -996,151 +996,151 @@ metricbeat.modules: # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ================================== diff --git a/metricbeat/module/system/filesystem/_meta/docs.asciidoc b/metricbeat/module/system/filesystem/_meta/docs.asciidoc index dd10e665cf7..97029f24a83 100644 --- a/metricbeat/module/system/filesystem/_meta/docs.asciidoc +++ b/metricbeat/module/system/filesystem/_meta/docs.asciidoc @@ -48,6 +48,6 @@ metricbeat.modules: period: 30s metricsets: ["filesystem"] processors: - - drop_event.when.regexp: - system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host)($|/)' + - drop_event.when.regexp: + system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host)($|/)' ---- diff --git a/metricbeat/module/windows/service/_meta/docs.asciidoc b/metricbeat/module/windows/service/_meta/docs.asciidoc index bba2cd8e8f6..21ef4b45047 100644 --- a/metricbeat/module/windows/service/_meta/docs.asciidoc +++ b/metricbeat/module/windows/service/_meta/docs.asciidoc @@ -32,6 +32,6 @@ except for the events for the firewall service. See metricsets: ["service"] period: 60s processors: - - drop_event.when.not.equals: - windows.service.display_name: Windows Firewall + - drop_event.when.not.equals: + windows.service.display_name: Windows Firewall ---- diff --git a/packetbeat/docs/packetbeat-filtering.asciidoc b/packetbeat/docs/packetbeat-filtering.asciidoc index 3ac4d31f7c9..a3513659cf4 100644 --- a/packetbeat/docs/packetbeat-filtering.asciidoc +++ b/packetbeat/docs/packetbeat-filtering.asciidoc @@ -55,10 +55,10 @@ following configuration: [source,yaml] ---- processors: - - drop_event: - when: + - drop_event: + when: equals: - http.response.status_code: 200 + http.response.status_code: 200 ---- @@ -67,11 +67,11 @@ If you don't want to export raw data for the successful transactions: [source,yaml] ---- processors: - - drop_fields: - when: + - drop_fields: + when: equals: - http.response.status_code: 200 - fields: ["request", "response"] + http.response.status_code: 200 + fields: ["request", "response"] ---- include::{libbeat-dir}/processors-using.asciidoc[] diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 7d1e93bfb92..759687a288b 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -670,151 +670,151 @@ packetbeat.ignore_outgoing: false # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ================================== diff --git a/winlogbeat/docs/modules.asciidoc b/winlogbeat/docs/modules.asciidoc index a48f0e4ed11..f8d57950a12 100644 --- a/winlogbeat/docs/modules.asciidoc +++ b/winlogbeat/docs/modules.asciidoc @@ -35,16 +35,16 @@ winlogbeat.event_logs: - name: ForwardedEvents tags: [forwarded] processors: - - script: - when.equals.winlog.channel: Security - lang: javascript - id: security - file: ${path.home}/module/security/config/winlogbeat-security.js - - script: - when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational - lang: javascript - id: sysmon - file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js + - script: + when.equals.winlog.channel: Security + lang: javascript + id: security + file: ${path.home}/module/security/config/winlogbeat-security.js + - script: + when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational + lang: javascript + id: sysmon + file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js ---- [float] diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index fa67ccca4ed..b678ce23245 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -166,151 +166,151 @@ winlogbeat.event_logs: # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ================================== diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index 4385709a7d6..1abf0a80836 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -299,151 +299,151 @@ auditbeat.modules: # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ================================== diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 983ec95fddb..0ec62c8e01f 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1687,151 +1687,151 @@ filebeat.inputs: # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ================================== diff --git a/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc b/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc index dcde727efba..74fa9cfd19d 100644 --- a/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc +++ b/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc @@ -18,11 +18,11 @@ renaming it to `event.original`. It is best to rename `message` to [source,yaml] ---- processors: -- rename: - fields: - - {from: "message", to: "event.original"} -- decode_cef: - field: event.original + - rename: + fields: + - {from: "message", to: "event.original"} + - decode_cef: + field: event.original ---- The `decode_cef` processor has the following configuration settings. diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml index 8270463fa84..c2db1e47b25 100644 --- a/x-pack/functionbeat/functionbeat.reference.yml +++ b/x-pack/functionbeat/functionbeat.reference.yml @@ -509,151 +509,151 @@ functionbeat.provider.gcp.functions: # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ================================== diff --git a/x-pack/libbeat/processors/add_cloudfoundry_metadata/docs/add_cloudfoundry_metadata.asciidoc b/x-pack/libbeat/processors/add_cloudfoundry_metadata/docs/add_cloudfoundry_metadata.asciidoc index 8de150048fd..7c5b2daba96 100644 --- a/x-pack/libbeat/processors/add_cloudfoundry_metadata/docs/add_cloudfoundry_metadata.asciidoc +++ b/x-pack/libbeat/processors/add_cloudfoundry_metadata/docs/add_cloudfoundry_metadata.asciidoc @@ -26,17 +26,17 @@ Each event is annotated with: [source,yaml] ------------------------------------------------------------------------------- processors: -- add_cloudfoundry_metadata: - api_address: https://api.dev.cfdev.sh - client_id: uaa-filebeat - client_secret: verysecret - ssl: - verification_mode: none - # To connect to Cloud Foundry over verified TLS you can specify a client and CA certificate. - #ssl: - # certificate_authorities: ["/etc/pki/cf/ca.pem"] - # certificate: "/etc/pki/cf/cert.pem" - # key: "/etc/pki/cf/cert.key" + - add_cloudfoundry_metadata: + api_address: https://api.dev.cfdev.sh + client_id: uaa-filebeat + client_secret: verysecret + ssl: + verification_mode: none + # To connect to Cloud Foundry over verified TLS you can specify a client and CA certificate. + #ssl: + # certificate_authorities: ["/etc/pki/cf/ca.pem"] + # certificate: "/etc/pki/cf/cert.pem" + # key: "/etc/pki/cf/cert.key" ------------------------------------------------------------------------------- It has the following settings: diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 0e50c82f20c..4cfc5e8b750 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -1422,151 +1422,151 @@ metricbeat.modules: # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ================================== diff --git a/x-pack/metricbeat/module/cockroachdb/status/_meta/docs.asciidoc b/x-pack/metricbeat/module/cockroachdb/status/_meta/docs.asciidoc index e58c7689222..71d2eff78dc 100644 --- a/x-pack/metricbeat/module/cockroachdb/status/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/cockroachdb/status/_meta/docs.asciidoc @@ -6,6 +6,7 @@ WARNING: This metricset collects a large number of metrics, what can significantly impact disk usage. Processors can be used to drop unused metrics before they are stored. For example the following configuration will drop all histogram buckets: + [source,yaml] ------------------------------------------------------------------------------ - module: cockroachdb diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 73ab756fab8..c42a97453bb 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -169,151 +169,151 @@ winlogbeat.event_logs: # values: # #processors: -#- include_fields: -# fields: ["cpu"] -#- drop_fields: -# fields: ["cpu.user", "cpu.system"] +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] # # The following example drops the events that have the HTTP response code 200: # #processors: -#- drop_event: -# when: -# equals: -# http.code: 200 +# - drop_event: +# when: +# equals: +# http.code: 200 # # The following example renames the field a to b: # #processors: -#- rename: -# fields: -# - from: "a" -# to: "b" +# - rename: +# fields: +# - from: "a" +# to: "b" # # The following example tokenizes the string into fields: # #processors: -#- dissect: -# tokenizer: "%{key1} - %{key2}" -# field: "message" -# target_prefix: "dissect" +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" # # The following example enriches each event with metadata from the cloud # provider about the host machine. It works on EC2, GCE, DigitalOcean, # Tencent Cloud, and Alibaba Cloud. # #processors: -#- add_cloud_metadata: ~ +# - add_cloud_metadata: ~ # # The following example enriches each event with the machine's local time zone # offset from UTC. # #processors: -#- add_locale: -# format: offset +# - add_locale: +# format: offset # # The following example enriches each event with docker metadata, it matches # given fields to an existing container id and adds info from that container: # #processors: -#- add_docker_metadata: -# host: "unix:///var/run/docker.sock" -# match_fields: ["system.process.cgroup.id"] -# match_pids: ["process.pid", "process.ppid"] -# match_source: true -# match_source_index: 4 -# match_short_id: false -# cleanup_timeout: 60 -# labels.dedot: false -# # To connect to Docker over TLS you must specify a client and CA certificate. -# #ssl: -# # certificate_authority: "/etc/pki/root/ca.pem" -# # certificate: "/etc/pki/client/cert.pem" -# # key: "/etc/pki/client/cert.key" +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" # # The following example enriches each event with docker metadata, it matches # container id from log path available in `source` field (by default it expects # it to be /var/lib/docker/containers/*/*.log). # #processors: -#- add_docker_metadata: ~ +# - add_docker_metadata: ~ # # The following example enriches each event with host metadata. # #processors: -#- add_host_metadata: ~ +# - add_host_metadata: ~ # # The following example enriches each event with process metadata using # process IDs included in the event. # #processors: -#- add_process_metadata: -# match_pids: ["system.process.ppid"] -# target: system.process.parent +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent # # The following example decodes fields containing JSON strings # and replaces the strings with valid JSON objects. # #processors: -#- decode_json_fields: -# fields: ["field1", "field2", ...] -# process_array: false -# max_depth: 1 -# target: "" -# overwrite_keys: false +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false # #processors: -#- decompress_gzip_field: -# from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true # # The following example copies the value of message to message_copied # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: message_copied -# fail_on_error: true -# ignore_missing: false +# fail_on_error: true +# ignore_missing: false # # The following example truncates the value of message to 1024 bytes # #processors: -#- truncate_fields: -# fields: -# - message -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example preserves the raw message under event.original # #processors: -#- copy_fields: -# fields: +# - copy_fields: +# fields: # - from: message # to: event.original -# fail_on_error: false -# ignore_missing: true -#- truncate_fields: -# fields: -# - event.original -# max_bytes: 1024 -# fail_on_error: false -# ignore_missing: true +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true # # The following example URL-decodes the value of field1 to field2 # #processors: -#- urldecode: -# fields: -# - from: "field1" -# to: "field2" -# ignore_missing: false -# fail_on_error: true +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true #============================= Elastic Cloud ==================================