Your use case might require only a subset of the data exported by Journalbeat, or you might need to enhance the exported data (for example, by adding metadata). Journalbeat provides a couple of options for filtering and enhancing exported data.
You can configure Journalbeat to include events that match specific filtering
criteria. To do this, use the
option. The advantage of this approach is that you can reduce the number of
fields that Journalbeat needs to process.
Another approach (the one described here) is to define processors to configure global processing across all data exported by Journalbeat.
You can define processors in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:
- reducing the number of exported fields
- enhancing events with additional metadata
- performing additional processing and decoding
Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Journalbeat configuration file.
event -> processor 1 -> event1 -> processor 2 -> event2 ...
Intro to Kibana
ELK for Logs & Metrics