Replace fields from events
Thereplace processor takes a list of fields to search for a matching value and replaces the matching value with a specified string.
Thereplace processor cannot be used to create a completely new value.
Tip
You can use this processor to truncate a field value or replace it with a new string value. You can also use this processor to mask PII information.
The following example changes the path from/usr/bin to/usr/local/bin:
- replace: fields: - field: "file.path" pattern: "/usr/" replacement: "/usr/local/" ignore_missing: false fail_on_error: trueNote
Elastic Agent processors executebefore ingest pipelines, which means that your processor configurations cannot refer to fields that are created by ingest pipelines or Logstash. For more limitations, refer toWhat are some limitations of using processors?
| Name | Required | Default | Description |
|---|---|---|---|
fields | Yes | List of one or more items. Each item contains afield: field-name,pattern: regex-pattern, andreplacement: replacement-string, where:* field is the original field name. You can use the@metadata. prefix in this field to replace values in the event metadata instead of event fields.* pattern is the regex pattern to match the field’s value* replacement is the replacement string to use to update the field’s value | |
ignore_missing | No | false | Whether to ignore missing fields. Iftrue, no error is logged if the specified field is missing. |
fail_on_error | No | true | Whether to fail replacement of field values if an error occurs.Iftrue and there’s an error, the replacement of field values is stopped, and the original event is returned.Iffalse, replacement continues even if an error occurs during replacement. |
SeeConditions for a list of supported conditions.