"The processor action grok does not exist" in FileBeat. Why ? (Custom Logs Integration)

mehdi-lamrani · May 7, 2023, 9:27am

I am a bit confused here.
Grok is available in Ingest Processors but not in Filebeat processors
May I ask why ?

I was hoping to do this

, but it breaks, as I am getting the following error :

[elastic_agent][error] [...] the processor action grok does not exist.

So,
1 - Why are the 2 processor families different ? why have two sets of processors and not just one ? (philosophical question)
2 - Where should I put my grok then ? (I am using custom logs integration)
My guess is that I need to define an ingest pipeline and add it to custom configurations.
Am I right ?

Thanks in advance,
M.

rugenl · May 7, 2023, 7:21pm

I think because ingest processor is an ingest pipeline, running on an elasticsearch node. FIlebeat processors are lightweight, limited and run on filebeat. Filebeat processors are good for dropping data before it traverses the network, but could put a lot of load on the agent if not kept simple.

warkolm · May 7, 2023, 10:41pm

Yep that's pretty much the reasoning behind the separation!

mehdi-lamrani · May 8, 2023, 4:00pm

Ok, makes sense.
Thanks for the clarification

system · June 5, 2023, 4:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Are ingest pipelines created by agent expected to be different from the same type of pipeline created by beats? Beats filebeat	3	161	November 15, 2023
Ingest pipelines with cloned from filebeat ingest pipeline do not act on additinal processor Elasticsearch ingest-pipeline	0	62	June 12, 2024
Filebeat custom module pipeline failed Beats filebeat	5	511	October 20, 2020
Beats Native Grok Processor Beats filebeat	1	373	July 19, 2023
Adding Custom processors with Elastic-Agent Elastic Agent	4	407	March 8, 2023

"The processor action grok does not exist" in FileBeat. Why ? (Custom Logs Integration)

Related Topics