You are looking at preliminary documentation for a future release. Not what you want? See the current release documentation.
Elastic Docs Fleet and Elastic Agent Guide [master] Define processors
« Decode XML Wineventlog Detect mime type »

Decompress gzip fieldsedit

The decompress_gzip_field processor specifies a field to gzip decompress.

To overwrite fields, either first rename the target field, or use the drop_fields processor to drop the field, and then decompress the field.

Exampleedit

In this example, field1 is decompressed in field2.

  - decompress_gzip_field:
      field:
        from: "field1"
        to: "field2"
      ignore_missing: false
      fail_on_error: true

Configuration settingsedit

Elastic Agent processors execute before ingest pipelines, which means that your processor configurations cannot refer to fields that are created by ingest pipelines or Logstash. For more limitations, refer to What are some limitations of using processors?

Name Required Default Description

field

Yes

Contains:

  • from: "old-key", where from is the origin
  • to: "new-key", where to is the target field name

ignore_missing

No

false

Whether to ignore missing keys. If true, no error is logged if a key that should be decompressed is missing.

fail_on_error

No

true

If true and an error occurs, decompression of fields is stopped, and the original event is returned. If false, decompression continues even if an error occurs during decoding.

See Conditions for a list of supported conditions.

« Decode XML Wineventlog Detect mime type »