Sederfo
Sederfo

Reputation: 199

Filebeat processor script per index

How can I specify which Elastic index the Filebeat processor script should apply to? I am talking about this processor script https://www.elastic.co/guide/en/beats/filebeat/current/processor-script.html but I don't see the option to specify index anywhere.

I have indexes "firewall' and "switch" and I want to apply script A only to messages sent to "firewall" index and script B only to messages sent to "switch" index. So far, I have only managed to apply the scripts to ALL the messages (globally), but this means it applies script A to "switch" too and I do not want that.

Is there also a performance impact for applying scripts to all indexes vs applying scripts to specific indexes (if that is possible)?

EDIT After trying Val's solution, I came to this:

processors:
  - script:
      when:
        equals:
          _index: "firewall-11.2021"
      lang: javascript
      id: my_filter1
      file: ${path.config}/Script_A.js

The _index field in messages is exactly "firewall-11.2021" so it should run script_A for messages having _index = "firewall-11.2021" (aka messages sent to "firewall-11.2021" index) but it does not. If I remove the condition, Script_A runs but for all messages.

This is the _index field I am placing a condition on: enter image description here

Upvotes: 0

Views: 1125

Answers (1)

Val
Val

Reputation: 217274

You can define conditions under which a given processor should be run or not. So in your case, it would look like this:

processors:
  - script:
      when:
        equals:
          _index: 'firewall'
      id: script_A
  - script:
      when:
        equals:
          _index: 'switch'
      id: script_B

Upvotes: 1

Related Questions