decompress_gzip_field processor specifies a field to gzip decompress.
field key contains a
from: old-key and a
to: new-key pair.
the origin and
to the target name of the field.
To overwrite fields either first rename the target field or use the
processor to drop the field and then decompress the field.
processors: - decompress_gzip_field: field: from: "field1" to: "field2" ignore_missing: false fail_on_error: true
In the example above: - field1 is decoded in field2
decompress_gzip_field processor has the following configuration settings:
(Optional) If set to true, no error is logged in case a key
which should be decompressed is missing. Default is
(Optional) If set to true, in case of an error the decompression
of fields is stopped and the original event is returned. If set to false, decompression
continues also if an error happened during decoding. Default is
See Conditions for a list of supported conditions.
Intro to Kibana
ELK for Logs & Metrics