"The processor action grok does not exist" in FileBeat. Why ? (Custom Logs Integration)

mehdi-lamrani · May 7, 2023, 9:27am

I am a bit confused here.
Grok is available in Ingest Processors but not in Filebeat processors
May I ask why ?

I was hoping to do this

, but it breaks, as I am getting the following error :

[elastic_agent][error] [...] the processor action grok does not exist.

So,
1 - Why are the 2 processor families different ? why have two sets of processors and not just one ? (philosophical question)
2 - Where should I put my grok then ? (I am using custom logs integration)
My guess is that I need to define an ingest pipeline and add it to custom configurations.
Am I right ?

Thanks in advance,
M.

rugenl · May 7, 2023, 7:21pm

I think because ingest processor is an ingest pipeline, running on an elasticsearch node. FIlebeat processors are lightweight, limited and run on filebeat. Filebeat processors are good for dropping data before it traverses the network, but could put a lot of load on the agent if not kept simple.

warkolm · May 7, 2023, 10:41pm

Yep that's pretty much the reasoning behind the separation!

mehdi-lamrani · May 8, 2023, 4:00pm

Ok, makes sense.
Thanks for the clarification

system · June 5, 2023, 4:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Are ingest pipelines created by agent expected to be different from the same type of pipeline created by beats? Beats filebeat	3	161	November 15, 2023
Question regarding "where" log data is process Beats filebeat	3	287	April 3, 2020
Grok processor is not applied for indexed records in elastic search Elasticsearch	2	542	November 27, 2017
Grok Processor Custom Patterns Elasticsearch	3	788	May 16, 2019
Filebeat module ingest logic execution Beats filebeat	3	350	February 11, 2019

"The processor action grok does not exist" in FileBeat. Why ? (Custom Logs Integration)

Related topics