IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Add Docker metadata Add Host metadata »
Elastic Docs Fleet and Elastic Agent Guide [8.14] Define processors

Add fields

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Add fields

edit

The add_fields processor adds fields to the event. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. The add_fields processor overwrites the target field if it already exists. By default, the fields that you specify are grouped under the fields sub-dictionary in the event. To group the fields under a different sub-dictionary, use the target setting. To store the fields as top-level fields, set target: ''.

Examples

edit

This configuration:

  - add_fields:
      target: project
      fields:
        name: myproject
        id: '574734885120952459'

Adds these fields to any event:

{
  "project": {
    "name": "myproject",
    "id": "574734885120952459"
  }
}

This configuration alters the event metadata:

  - add_fields:
      target: '@metadata'
      fields:
        op_type: "index"

When the event is ingested by Elasticsearch, the document will have op_type: "index" set as a metadata field.

Configuration settings

edit

Elastic Agent processors execute before ingest pipelines, which means that they process the raw event data rather than the final event sent to Elasticsearch. For related limitations, refer to What are some limitations of using processors?

Name Required Default Description

target

No

fields

Sub-dictionary to put all fields into. Set target to @metadata to add values to the event metadata instead of fields.

fields

Yes

Fields to be added.
« Add Docker metadata Add Host metadata »