"The processor action grok does not exist" in FileBeat. Why ? (Custom Logs Integration)

mehdi-lamrani · May 7, 2023, 9:27am

I am a bit confused here.
Grok is available in Ingest Processors but not in Filebeat processors
May I ask why ?

I was hoping to do this

, but it breaks, as I am getting the following error :

[elastic_agent][error] [...] the processor action grok does not exist.

So,
1 - Why are the 2 processor families different ? why have two sets of processors and not just one ? (philosophical question)
2 - Where should I put my grok then ? (I am using custom logs integration)
My guess is that I need to define an ingest pipeline and add it to custom configurations.
Am I right ?

Thanks in advance,
M.

rugenl · May 7, 2023, 7:21pm

I think because ingest processor is an ingest pipeline, running on an elasticsearch node. FIlebeat processors are lightweight, limited and run on filebeat. Filebeat processors are good for dropping data before it traverses the network, but could put a lot of load on the agent if not kept simple.

warkolm · May 7, 2023, 10:41pm

Yep that's pretty much the reasoning behind the separation!

mehdi-lamrani · May 8, 2023, 4:00pm

Ok, makes sense.
Thanks for the clarification

Topic		Replies	Views
【filebeat】Did Filebeat consider adding a Grok processor in the processors module? Beats filebeat	1	193	November 6, 2023
Grok Pattern against stdout Beats docker , filebeat	5	535	January 8, 2021
Are ingest pipelines created by agent expected to be different from the same type of pipeline created by beats? Beats filebeat	3	198	November 15, 2023
Elastic agent with Ingest pipeline Elastic Agent	18	639	September 24, 2024
Beats Native Grok Processor Beats filebeat	1	463	July 19, 2023

"The processor action grok does not exist" in FileBeat. Why ? (Custom Logs Integration)

Related topics