Send only one field in pipeline to pipeline communication

Laetitia_RICHARD · June 23, 2022, 12:03pm

Hello,
I'd like my 1st pipeline to send the event to an Elasticsearch output and only a field's event to the input of a 2nd pipeline. Is it possible to send only one field in a pipeline and not a complete event?

smtp_server · June 23, 2022, 2:48pm

Remove those extra fields using mutate filter.

Laetitia_RICHARD · June 23, 2022, 2:57pm

Hello, thank you for your reply. I can't remove them because I need all field for my elasticsearch output.

leandrojmp · June 23, 2022, 3:01pm

The pipeline to pipeline using the pipeline output does not support the codec option to change the format of the output message, which would allow you to send just one field to a pipeline and the entire message to the other pipeline.

To do this you will need to duplicate your event using the clone filter, the prune filter and some conditionals to change only the event that was cloned.

Something like this:

filter {
    clone {
        clones => ["cloned"]
    }
    if [type] == "cloned" {
        prune {
            whitelist_names => [ "field-you-want-to-send" ]
        }
    }
}
output {
    if [type] == "cloned" {
        pipeline { your pipeline-to-pipeline}
    }
    if [type] != "cloned" {
        your other output
    }
}

Badger · June 23, 2022, 3:13pm

If you have two pipelines then just remove the fields (using mutate or prune) in one of them. The other one will send the complete event to elasticsearch. This is the forked-path pattern for pipeline-to-pipeline communication.

Laetitia_RICHARD · June 23, 2022, 4:18pm

Thank you for your answers.