Processor not working

Elastic Stack Beats
1

I am trying to use processors in filebeat, but the testing was not working as I expected.

Here is the config:

#=========================== Filebeat inputs =============================
processors:
- drop_event:
    when:
       contains:
         message: "xyz"


filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: stdin

And when I type 'I am not a fan of xyz' from the console, the event is not dropped, as below.

.......
    "version": "7.3.1",
    "type": "filebeat",
    "ephemeral_id": "b5afb0fe-7ccd-49fc-8aa9-593927a94495"
  },
  "message": "I am not a fan of xyz",
  "log": {
    "offset": 0,
    "file": {
      "path": ""
    }
  },
  "input": {
    "type": "stdin"
  },
  "ecs": {
    "version": "1.0.1"
  }
}

anything is wrong?

2

it is working if I put this processor under a particular type, but not the global setting level.

However,the documentation says below, is my understanding wrong?

Where are processors valid?edit

Processors are valid:

**** At the top-level in the configuration. The processor is applied to all data collected by Filebeat.***

  • Under a specific input. The processor is applied to the data collected for that input. For example:
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.