Replace fields from events
editReplace fields from events
editThe replace
processor takes a list of fields to search for a matching
value and replaces the matching value with a specified string.
The replace
processor cannot be used to create a completely new value.
You can use this processor to truncate a field value or replace it with a new string value. You can also use this processor to mask PII information.
Example
editThe following example changes the path from /usr/bin
to /usr/local/bin
:
- replace: fields: - field: "file.path" pattern: "/usr/" replacement: "/usr/local/" ignore_missing: false fail_on_error: true
Configuration settings
editName | Required | Default | Description |
---|---|---|---|
|
Yes |
List of one or more items. Each item contains a
|
|
|
No |
|
Whether to ignore missing fields. If |
|
No |
|
Whether to fail replacement of field values if an error occurs.
If |
See Conditions for a list of supported conditions.