Opposite of "Append" processor?

dadoonet · March 14, 2024, 11:16am

Try:

POST /_ingest/pipeline/_simulate
{
  "pipeline" :
  {
    "description": "_description",
    "processors": [
      {
        "grok": {
          "field": "message",
          "patterns": [
            "%{IMAP_POSTLOGIN_WORD:dovecot.service}: user=%{DOVECOT_USER:dovecot.user}, homedir=%{DATA:dovecot.homedir}, rip=%{IP:dovecot.rip}, lip=%{IP:dovecot.lip}, arguments=%{DATA:dovecot.arguments},"
          ],
          "pattern_definitions": {
            "DOVECOT_USER": "%{USERNAME}|%{EMAILADDRESS}|%{DATA}",
            "IMAP_POSTLOGIN_WORD": "imap-postlogin"
          },
          "ignore_missing": true,
          "ignore_failure": true
        }
      },
      {
        "script": {
          "source": """
if (ctx.tags != null && ctx.tags.contains('_grokparsefailure')) { 
    ctx.tags.remove(ctx.tags.indexOf('_grokparsefailure'));
}""",
          "if": "ctx?.dovecot?.service == 'imap-postlogin'"
        }
      }      
    ]
  },
  "docs": [
    {
      "_index": "index",
      "_id": "id",
      "_source": {
        "message": "imap-postlogin: user=us@r, homedir=/.../, rip=10.0.0.1, lip=127.0.0.1, arguments=/.../,",
        "tags": [
          "journald-log",
          "_grokparsefailure"
        ]
      }
    }
  ]
}

Topic		Replies	Views
Using the Remove processor for ingest node Elasticsearch	8	4007	July 5, 2017
Remove Processor return an illegal_argument_exception error Elasticsearch	1	204	May 4, 2023
NEST - How to remove the content with RemoveProcessor? Elasticsearch	2	689	April 12, 2017
Tuning Attachment Ingest with arrays (get rid of the raw data!) Elasticsearch	5	1790	February 16, 2017
Removing a field with dots in an ingest pipeline Elasticsearch ingest-pipeline	4	2136	June 8, 2021

Opposite of "Append" processor?

Related topics