Filter and enhance data with processorsedit

Your use case might require only a subset of the data exported by Journalbeat, or you might need to enhance the exported data (for example, by adding metadata). Journalbeat provides a couple of options for filtering and enhancing exported data.

You can configure Journalbeat to include events that match specific filtering criteria. To do this, use the include_matches option. The advantage of this approach is that you can reduce the number of fields that Journalbeat needs to process.

Another approach (the one described here) is to define processors to configure global processing across all data exported by Journalbeat.

Processorsedit

You can define processors in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:

  • reducing the number of exported fields
  • enhancing events with additional metadata
  • performing additional processing and decoding

Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Journalbeat configuration file.

event -> processor 1 -> event1 -> processor 2 -> event2 ...