Reputation: 199
How can I specify which Elastic index the Filebeat processor script should apply to? I am talking about this processor script https://www.elastic.co/guide/en/beats/filebeat/current/processor-script.html but I don't see the option to specify index anywhere.
I have indexes "firewall' and "switch" and I want to apply script A only to messages sent to "firewall" index and script B only to messages sent to "switch" index. So far, I have only managed to apply the scripts to ALL the messages (globally), but this means it applies script A to "switch" too and I do not want that.
Is there also a performance impact for applying scripts to all indexes vs applying scripts to specific indexes (if that is possible)?
EDIT After trying Val's solution, I came to this:
processors:
- script:
when:
equals:
_index: "firewall-11.2021"
lang: javascript
id: my_filter1
file: ${path.config}/Script_A.js
The _index field in messages is exactly "firewall-11.2021" so it should run script_A for messages having _index = "firewall-11.2021" (aka messages sent to "firewall-11.2021" index) but it does not. If I remove the condition, Script_A runs but for all messages.
This is the _index field I am placing a condition on:
Upvotes: 0
Views: 1125
Reputation: 217274
You can define conditions under which a given processor should be run or not. So in your case, it would look like this:
processors:
- script:
when:
equals:
_index: 'firewall'
id: script_A
- script:
when:
equals:
_index: 'switch'
id: script_B
Upvotes: 1