Starting in version 7.16, this experimental functionality has been removed. You should use the journald input in Filebeat instead.
decompress_gzip_field processor specifies a field to gzip decompress.
field key contains a
from: old-key and a
to: new-key pair.
the origin and
to the target name of the field.
To overwrite fields either first rename the target field or use the
processor to drop the field and then rename the field.
processors: - decompress_gzip_field: field: from: "field1" to: "field2" ignore_missing: false fail_on_error: true
In the example above: - field1 is decoded in field2
decompress_gzip_field processor has the following configuration settings:
(Optional) If set to true, no error is logged in case a key
which should be base64 decoded is missing. Default is
(Optional) If set to true, in case of an error the base64 decode
of fields is stopped and the original event is returned. If set to false, decoding
continues also if an error happened during decoding. Default is
See Conditions for a list of supported conditions.
Intro to Kibana
ELK for Logs & Metrics