Spaces method and path for this operation:
Refer to Spaces for more information.
Upserts the ingest settings of an ingest stream definition
[Required authorization] Route required privileges: manage_stream.
Body
ingest
object Required Any of: Hide attributes Show attributes
-
Additional properties are NOT allowed.
Hide processing attribute Show processing attribute object
-
Any of: object-1object object-2object object-3object object-4object object-5object object-6object object-7object object-8object object-9object object-10object object-11object object-12object object-13object object-14object object-15object object-16object object-17object object-18object object-19object object-20object object-1object object-2object object-22object object-23object object-24object Kibana_HTTP_APIs_StreamlangConditionBlockobject Grok processor - Extract fields from text using grok patterns
Hide attributes Show attributes
-
Value is
grok. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Source field to parse with grok patterns
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
-
Grok patterns applied in order to extract fields
At least
1element. Minimum length of each is1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Dissect processor - Extract fields from text using a lightweight, delimiter-based parser
Hide attributes Show attributes
-
Value is
dissect. -
Separator inserted when target fields are concatenated
Minimum length is
1. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Source field to parse with dissect pattern
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
-
Dissect pattern describing field boundaries
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Date processor - Parse dates from strings using one or more expected formats
Hide attributes Show attributes
-
Value is
date. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Accepted input date formats, tried in order
Minimum length of each is
1. -
Source field containing the date/time text
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Optional locale for date parsing
Minimum length is
1. -
Optional output format for storing the parsed date as text
Minimum length is
1. -
Optional timezone for date parsing
Minimum length is
1. -
Target field for the parsed date (defaults to source)
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
drop_document. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Continue pipeline execution if this processor fails
where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
math. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
A non-empty string.
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Rename processor - Change a field name and optionally its location
Hide attributes Show attributes
-
Value is
rename. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Existing source field to rename or move
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip when source field is missing
-
Allow overwriting the target field if it already exists
-
New field name or destination path
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Set processor - Assign a literal or copied value to a field (mutually exclusive inputs)
Hide attributes Show attributes
-
Value is
set. -
Copy value from another field instead of providing a literal
Minimum length is
1. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Continue pipeline execution if this processor fails
-
Allow overwriting an existing target field
-
Target field to set or create
Minimum length is
1. -
Literal value to assign to the target field
where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Append processor - Append one or more values to an existing or new array field
Hide attributes Show attributes
-
Value is
append. -
If true, do not deduplicate appended values
-
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Continue pipeline execution if this processor fails
-
Array field to append values to
Minimum length is
1. -
Values to append (must be literal, no templates)
At least
1element. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Remove by prefix processor - Remove a field and all nested fields matching the prefix
Hide attributes Show attributes
-
Value is
remove_by_prefix. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Field to remove along with all its nested fields
Minimum length is
1. -
Continue pipeline execution if this processor fails
Remove processor - Delete one or more fields from the document
Hide attributes Show attributes
-
Value is
remove. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Field to remove from the document
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
replace. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. -
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Redact processor - Mask sensitive data using Grok patterns
Hide attributes Show attributes
-
Value is
redact. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Source field to redact sensitive data from
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing (defaults to true)
-
Custom pattern definitions to use in the patterns
-
Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}")
At least
1element. Minimum length of each is1. -
Prefix to prepend to the redacted pattern name (defaults to "<")
-
Suffix to append to the redacted pattern name (defaults to ">")
where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
uppercase. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
lowercase. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
trim. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
join. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
At least
1element. Minimum length of each is1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Split processor - Split a field value into an array using a separator
Hide attributes Show attributes
-
Value is
split. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Source field to split into an array
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
-
Preserve empty trailing fields in the split result
-
Regex separator used to split the field value into an array
Minimum length is
1. -
Target field for the split array (defaults to source)
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
sort. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Array field to sort
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
-
Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc"
Values are
ascordesc. -
Target field for the sorted array (defaults to source)
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Convert processor - Change the data type of a field value (integer, long, double, boolean, or string)
Hide attributes Show attributes
-
Value is
convert. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Source field to convert to a different data type
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
-
Target field for the converted value (defaults to source)
Minimum length is
1. -
Target data type: integer, long, double, boolean, or string
Values are
integer,long,double,boolean, orstring. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
concat. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
At least
1element. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
network_direction. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. -
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
network_direction. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. -
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
-
Minimum length is
1.
JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors
Hide attributes Show attributes
-
Value is
json_extract. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
List of extraction specifications
At least
1element.Hide extractions attributes Show extractions attributes object
A single extraction specification
-
JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name")
Minimum length is
1. -
Target field to store the extracted value
Minimum length is
1. -
Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers.
Values are
keyword,integer,long,double, orboolean.
-
-
Source field containing the JSON string to parse
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
enrich. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Continue pipeline execution if this processor fails
-
A non-empty string.
Minimum length is
1. -
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Manual ingest pipeline wrapper around native Elasticsearch processors
Hide attributes Show attributes
-
Manual ingest pipeline - executes raw Elasticsearch ingest processors
Value is
manual_ingest_pipeline. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Continue pipeline execution if this processor fails
-
Fallback processors to run when a processor fails
Additional properties are allowed.
-
List of raw Elasticsearch ingest processors to run
Additional properties are allowed.
-
Optional ingest processor tag for Elasticsearch
where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
condition
object Required Any of: A condition that compares a field to a value or range using an operator as the key.
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
A condition that checks for the existence or non-existence of a field.
A logical AND that groups multiple conditions.
A logical OR that groups multiple conditions.
A logical NOT that negates a condition.
A condition that always evaluates to false.
-
-
-
Additional properties are NOT allowed.
Hide settings attributes Show settings attributes object
-
Additional properties are NOT allowed.
Hide wired attributes Show wired attributes object
-
Hide routing attributes Show routing attributes object
-
A non-empty string.
Minimum length is
1. -
Values are
enabledordisabled. where
object Required The root condition object. It can be a simple filter or a combination of other conditions.
Any of: A condition that compares a field to a value or range using an operator as the key.
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
A condition that checks for the existence or non-existence of a field.
A logical AND that groups multiple conditions.
A logical OR that groups multiple conditions.
A condition that always evaluates to false.
-
Hide attributes Show attributes
-
Additional properties are NOT allowed.
-
Additional properties are NOT allowed.
Hide processing attribute Show processing attribute object
-
Any of: object-1object object-2object object-3object object-4object object-5object object-6object object-7object object-8object object-9object object-10object object-11object object-12object object-13object object-14object object-15object object-16object object-17object object-18object object-19object object-20object object-1object object-2object object-22object object-23object object-24object Kibana_HTTP_APIs_StreamlangConditionBlockobject Grok processor - Extract fields from text using grok patterns
Hide attributes Show attributes
-
Value is
grok. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Source field to parse with grok patterns
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
-
Grok patterns applied in order to extract fields
At least
1element. Minimum length of each is1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Dissect processor - Extract fields from text using a lightweight, delimiter-based parser
Hide attributes Show attributes
-
Value is
dissect. -
Separator inserted when target fields are concatenated
Minimum length is
1. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Source field to parse with dissect pattern
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
-
Dissect pattern describing field boundaries
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Date processor - Parse dates from strings using one or more expected formats
Hide attributes Show attributes
-
Value is
date. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Accepted input date formats, tried in order
Minimum length of each is
1. -
Source field containing the date/time text
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Optional locale for date parsing
Minimum length is
1. -
Optional output format for storing the parsed date as text
Minimum length is
1. -
Optional timezone for date parsing
Minimum length is
1. -
Target field for the parsed date (defaults to source)
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
drop_document. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Continue pipeline execution if this processor fails
where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
math. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
A non-empty string.
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Rename processor - Change a field name and optionally its location
Hide attributes Show attributes
-
Value is
rename. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Existing source field to rename or move
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip when source field is missing
-
Allow overwriting the target field if it already exists
-
New field name or destination path
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Set processor - Assign a literal or copied value to a field (mutually exclusive inputs)
Hide attributes Show attributes
-
Value is
set. -
Copy value from another field instead of providing a literal
Minimum length is
1. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Continue pipeline execution if this processor fails
-
Allow overwriting an existing target field
-
Target field to set or create
Minimum length is
1. -
Literal value to assign to the target field
where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Append processor - Append one or more values to an existing or new array field
Hide attributes Show attributes
-
Value is
append. -
If true, do not deduplicate appended values
-
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Continue pipeline execution if this processor fails
-
Array field to append values to
Minimum length is
1. -
Values to append (must be literal, no templates)
At least
1element. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Remove by prefix processor - Remove a field and all nested fields matching the prefix
Hide attributes Show attributes
-
Value is
remove_by_prefix. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Field to remove along with all its nested fields
Minimum length is
1. -
Continue pipeline execution if this processor fails
Remove processor - Delete one or more fields from the document
Hide attributes Show attributes
-
Value is
remove. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Field to remove from the document
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
replace. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. -
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Redact processor - Mask sensitive data using Grok patterns
Hide attributes Show attributes
-
Value is
redact. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Source field to redact sensitive data from
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing (defaults to true)
-
Custom pattern definitions to use in the patterns
-
Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}")
At least
1element. Minimum length of each is1. -
Prefix to prepend to the redacted pattern name (defaults to "<")
-
Suffix to append to the redacted pattern name (defaults to ">")
where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
uppercase. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
lowercase. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
trim. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
join. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
At least
1element. Minimum length of each is1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Split processor - Split a field value into an array using a separator
Hide attributes Show attributes
-
Value is
split. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Source field to split into an array
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
-
Preserve empty trailing fields in the split result
-
Regex separator used to split the field value into an array
Minimum length is
1. -
Target field for the split array (defaults to source)
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
sort. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Array field to sort
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
-
Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc"
Values are
ascordesc. -
Target field for the sorted array (defaults to source)
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Convert processor - Change the data type of a field value (integer, long, double, boolean, or string)
Hide attributes Show attributes
-
Value is
convert. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Source field to convert to a different data type
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
-
Target field for the converted value (defaults to source)
Minimum length is
1. -
Target data type: integer, long, double, boolean, or string
Values are
integer,long,double,boolean, orstring. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
concat. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
At least
1element. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
network_direction. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. -
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
network_direction. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Minimum length is
1. -
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
-
Minimum length is
1.
JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors
Hide attributes Show attributes
-
Value is
json_extract. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
List of extraction specifications
At least
1element.Hide extractions attributes Show extractions attributes object
A single extraction specification
-
JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name")
Minimum length is
1. -
Target field to store the extracted value
Minimum length is
1. -
Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers.
Values are
keyword,integer,long,double, orboolean.
-
-
Source field containing the JSON string to parse
Minimum length is
1. -
Continue pipeline execution if this processor fails
-
Skip processing when source field is missing
where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
Value is
enrich. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Continue pipeline execution if this processor fails
-
A non-empty string.
Minimum length is
1. -
Minimum length is
1. where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Manual ingest pipeline wrapper around native Elasticsearch processors
Hide attributes Show attributes
-
Manual ingest pipeline - executes raw Elasticsearch ingest processors
Value is
manual_ingest_pipeline. -
Custom identifier to correlate this processor across outputs
Minimum length is
1. -
Human-readable notes about this processor step
-
Continue pipeline execution if this processor fails
-
Fallback processors to run when a processor fails
Additional properties are allowed.
-
List of raw Elasticsearch ingest processors to run
Additional properties are allowed.
-
Optional ingest processor tag for Elasticsearch
where
object Any of: Conditional expression controlling whether this processor runs
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Conditional expression controlling whether this processor runs
Hide attributes Show attributes
condition
object Required Any of: A condition that compares a field to a value or range using an operator as the key.
Hide attributes Show attributes
-
The document field to filter on.
Minimum length is
1. -
Range comparison values.
Additional properties are NOT allowed.
Hide range attributes Show range attributes object
A condition that checks for the existence or non-existence of a field.
A logical AND that groups multiple conditions.
A logical OR that groups multiple conditions.
A logical NOT that negates a condition.
A condition that always evaluates to false.
-
-
-
Additional properties are NOT allowed.
Hide settings attributes Show settings attributes object
curl \
--request PUT 'https://localhost:5601/api/streams/{name}/_ingest' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"ingest":{"failure_store":{"inherit":{}},"lifecycle":{"inherit":{}},"processing":{"steps":[{"action":"grok","from":"message","ignore_missing":false,"patterns":["%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:@timestamp}\\] \"%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}\" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)"]}]},"settings":{},"wired":{"fields":{"client.ip":{"type":"ip"},"http.method":{"type":"keyword"},"http.response.body.bytes":{"type":"long"},"http.response.status_code":{"type":"long"},"url.original":{"type":"wildcard"}},"routing":[{"destination":"logs.nginx.errors","status":"enabled","where":{"eq":"500","field":"http.response.status_code"}}]}}}'
{
"ingest": {
"failure_store": {
"inherit": {}
},
"lifecycle": {
"inherit": {}
},
"processing": {
"steps": [
{
"action": "grok",
"from": "message",
"ignore_missing": false,
"patterns": [
"%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:@timestamp}\\] \"%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}\" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)"
]
}
]
},
"settings": {},
"wired": {
"fields": {
"client.ip": {
"type": "ip"
},
"http.method": {
"type": "keyword"
},
"http.response.body.bytes": {
"type": "long"
},
"http.response.status_code": {
"type": "long"
},
"url.original": {
"type": "wildcard"
}
},
"routing": [
{
"destination": "logs.nginx.errors",
"status": "enabled",
"where": {
"eq": "500",
"field": "http.response.status_code"
}
}
]
}
}
}