What is the difference between processor add_fields and regular "fields:"

john_eapen · October 29, 2019, 12:13pm

I am using filebeat (docker 7.4.1).

1)What is the difference between processor add_fields and regular "fields:"

Also, I am using autodiscover for nginx/mongo containers AND regular filebeat.input of type container for all other container logs. I do not have a very good inbuilt field/property to differentiate between these two types so that I can exclude autodiscover containers from regular filebeat input of type containers.
Is there a good way to achieve this? Therefore I was wondering if I could add a custom field to be used in include_lines.

Appreciate any pointers.
thx

B.M · October 29, 2019, 1:15pm

Here are 2 links to answer your question add_fields, fields

kvch · October 29, 2019, 3:19pm

When you are defining processors with complex conditionals, you can use add_fields processor. However, fields are always added to events.
You can tag events by input using fields. Note that fields are added to events after include_lines are applied. So it won't have any impact on your event processing.

system · November 26, 2019, 3:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.