What is the difference between processor add_fields and regular "fields:"

john_eapen · October 29, 2019, 12:13pm

I am using filebeat (docker 7.4.1).

1)What is the difference between processor add_fields and regular "fields:"

Also, I am using autodiscover for nginx/mongo containers AND regular filebeat.input of type container for all other container logs. I do not have a very good inbuilt field/property to differentiate between these two types so that I can exclude autodiscover containers from regular filebeat input of type containers.
Is there a good way to achieve this? Therefore I was wondering if I could add a custom field to be used in include_lines.

Appreciate any pointers.
thx

B.M · October 29, 2019, 1:15pm

Here are 2 links to answer your question add_fields, fields

kvch · October 29, 2019, 3:19pm

When you are defining processors with complex conditionals, you can use add_fields processor. However, fields are always added to events.
You can tag events by input using fields. Note that fields are added to events after include_lines are applied. So it won't have any impact on your event processing.

system · November 26, 2019, 3:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Adding fields does not work with docker input Beats filebeat	1	387	December 20, 2018
Documentation on the relationship between output fields and input plugins/processors Beats filebeat	1	152	October 18, 2023
Beats - Define field type with add_fields processor in *beat.yml? Beats	2	815	March 18, 2020
What is the difference between fields pass by filebeat and fields in logstash? Logstash	6	367	June 20, 2021
Filebeat add_fields processor Beats filebeat	5	2913	January 5, 2022