Filter and enhance the exported dataedit

You can define processors in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:

  • reducing the number of exported fields
  • enhancing events with additional metadata
  • performing additional processing and decoding

Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Packetbeat configuration file.

event -> processor 1 -> event1 -> processor 2 -> event2 ...

For example, the following configuration includes a subset of the Packetbeat DNS fields so that only the requests and their response codes are reported:

processors:
  - include_fields:
      fields:
        - bytes_in
        - bytes_out
        - ip
        - client_ip
        - dns.question.name
        - dns.question.etld_plus_one
        - dns.response_code

The filtered event would look something like this:

{
  "@timestamp": "2016-03-28T14:48:21.732Z",
  "bytes_in": 32,
  "bytes_out": 48,
  "client_ip": "192.168.10.111",
  "dns": {
    "question": {
      "etld_plus_one": "google.com.",
      "name": "www.google.com."
    },
    "response_code": "NOERROR"
  },
  "ip": "8.8.8.8",
  "type": "dns"
}

If you would like to drop all the successful transactions, you can use the following configuration:

processors:
 - drop_event:
     when:
        equals:
           http.response.code: 200

If you don’t want to export raw data for the successful transactions:

processors:
 - drop_fields:
     when:
        equals:
           http.response.code: 200
     fields: ["request", "response"]