Filter and enhance data with processorsedit

You can define processors in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:

  • reducing the number of exported fields
  • enhancing events with additional metadata
  • performing additional processing and decoding

Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Winlogbeat configuration file.

event -> processor 1 -> event1 -> processor 2 -> event2 ...

For example, the following filter configuration drops a few fields that are rarely used (provider_guid, process_id, thread_id, and version) and one nested field, event_data.ErrorSourceTable:

  - drop_fields:
      fields: [winlog.provider_guid,,, winlog.version, winlog.event_data.ErrorSourceTable]