Move fields
Themove_fields processor moves event fields from one object into another. It can also rearrange fields or add a prefix to fields.
The processor extracts fields fromfrom, then usesfields andexclude as filters to choose which fields to move into theto field.
For example, given the following event:
{ "app": { "method": "a", "elapsed_time": 100, "user_id": 100, "message": "i'm a message" }}
To movemethod andelapsed_time into another object, use this configuration:
processors: - move_fields: from: "app" fields: ["method", "elapsed_time"], to: "rpc."
Your final event will be:
{ "app": { "user_id": 100, "message": "i'm a message", "rpc": { "method": "a", "elapsed_time": 100 } }}
To add a prefix to the whole event:
{ "app": { "method": "a"}, "cost": 100}
Use this configuration:
processors: - move_fields: to: "my_prefix_"
Your final event will be:
{ "my_prefix_app": { "method": "a"}, "my_prefix_cost": 100}
| Name | Required | Default | Description |
|---|
from | no | | Which field you want extract. This field and any nested fields will be moved intoto unless they are filtered out. If empty, indicates event root. |
fields | no | | Which fields to extract fromfrom and move toto. An empty list indicates all fields. |
ignore_missing | no | false | Ignore "not found" errors when extracting fields. |
exclude | no | | A list of fields to exclude and not move. |
to | yes | | These fields extract fromfrom destination field prefix theto will base on fields root. |