Filter and enhance data with processorsedit

You can define processors in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:

  • reducing the number of exported fields
  • enhancing events with additional metadata
  • performing additional processing and decoding

Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Packetbeat configuration file.

event -> processor 1 -> event1 -> processor 2 -> event2 ...

For example, the following configuration includes a subset of the Packetbeat DNS fields so that only the requests and their response codes are reported:

  - include_fields:
        - client.bytes
        - server.bytes
        - client.ip
        - server.ip
        - dns.question.etld_plus_one
        - dns.response_code

The filtered event would look something like this:

  "@timestamp": "2019-01-19T03:41:11.798Z",
  "client": {
    "bytes": 28,
    "ip": ""
  "server": {
    "bytes": 271,
    "ip": ""
  "dns": {
    "question": {
      "name": "",
      "etld_plus_one": ""
    "response_code": "NOERROR"
  "type": "dns"

If you would like to drop all the successful transactions, you can use the following configuration:

  - drop_event:
          http.response.status_code: 200

If you don’t want to export raw data for the successful transactions:

  - drop_fields:
          http.response.status_code: 200
      fields: ["request", "response"]