Filter and enhance the exported dataedit

You can define processors in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:

  • reducing the number of exported fields
  • enhancing events with additional metadata
  • performing additional processing and decoding

Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Packetbeat configuration file.

event -> processor 1 -> event1 -> processor 2 -> event2 ...

For example, the following configuration includes a subset of the Packetbeat DNS fields so that only the requests and their response codes are reported:

  - include_fields:
        - bytes_in
        - bytes_out
        - ip
        - client_ip
        - dns.question.etld_plus_one
        - dns.response_code

The filtered event would look something like this:

  "@timestamp": "2016-03-28T14:48:21.732Z",
  "bytes_in": 32,
  "bytes_out": 48,
  "client_ip": "",
  "dns": {
    "question": {
      "etld_plus_one": "",
      "name": ""
    "response_code": "NOERROR"
  "ip": "",
  "type": "dns"

If you would like to drop all the successful transactions, you can use the following configuration:

 - drop_event:
           http.response.code: 200

If you don’t want to export raw data for the successful transactions:

 - drop_fields:
           http.response.code: 200
     fields: ["request", "response"]