Script Processor
Thescript processor executes Javascript code to process an event. The processor uses a pure Go implementation of ECMAScript 5.1 and has no external dependencies. This can be useful in situations where one of the other processors doesn’t provide the functionality you need to filter events.
The processor can be configured by embedding Javascript in your configuration file or by pointing the processor at external files.
- script: lang: javascript source: > function process(event) { event.Tag("js"); }This example loadsfilter.js from disk:
- script: lang: javascript file: ${path.config}/filter.jsParameters can be passed to the script by addingparams to the config. This allows for a script to be made reusable. When usingparams the code must define aregister(params) function to receive the parameters.
- script: lang: javascript tag: my_filter params: threshold: 15 source: > var params = {threshold: 42}; function register(scriptParams) { params = scriptParams; } function process(event) { if (event.Get("severity") < params.threshold) { event.Cancel(); } }If the script defines atest() function, it will be invoked when the processor is loaded. Any exceptions thrown will cause the processor to fail to load. This can be used to make assertions about the behavior of the script.
function process(event) { if (event.Get("event.code") === 1102) { event.Put("event.action", "cleared"); } return event;}function test() { var event = process(new Event({event: {code: 1102}})); if (event.Get("event.action") !== "cleared") { throw "expected event.action === cleared"; }}Elastic Agent processors executebefore ingest pipelines, which means that they process the raw event data rather than the final event sent to Elasticsearch. For related limitations, refer toWhat are some limitations of using processors?
| Name | Required | Default | Description |
|---|---|---|---|
lang | Yes | The value of this field must bejavascript. | |
tag | No | Optional identifier added to log messages. If defined, this tag enables metrics logging for this instance of the processor. The metrics include the number of exceptions and a histogram of the execution times for theprocess function. | |
source | Inline Javascript source code. | ||
file | Path to a script file to load. Relative paths are interpreted as relative to thepath.config directory. Globs are expanded. | ||
files | List of script files to load. The scripts are concatenated together. Relative paths are interpreted as relative to thepath.config directory. Globs are expanded. | ||
params | A dictionary of parameters that are passed to theregister of the script. | ||
tag_on_exception | _js_exception | Tag to add to events in case the Javascript code causes an exception while processing an event. | |
timeout | no timeout | An execution timeout for theprocess function. When theprocess function takes longer than thetimeout period, the function is interrupted. You can set this option to prevent a script from running for too long (like preventing an infinitewhile loop). | |
max_cached_sessions | 4 | The maximum number of Javascript VM sessions that will be cached to avoid reallocation. |
TheEvent object passed to theprocess method has the following API.
| Method | Description |
|---|---|
Get(string) | Get a value from the event (either a scalar or an object). If the key does not existnull is returned. If no key is provided then an object containing all fields is returned.Example: var value = event.Get(key); |
Put(string, value) | Put a value into the event. If the key was already set then the previous value is returned. It throws an exception if the key cannot be set because one of the intermediate values is not an object. Example: var old = event.Put(key, value); |
Rename(string, string) | Rename a key in the event. The target key must not exist. It returns true if the source key was successfully renamed to the target key. Example: var success = event.Rename("source", "target"); |
Delete(string) | Delete a field from the event. It returns true on success. Example: var deleted = event.Delete("user.email"); |
Cancel() | Flag the event as cancelled which causes the processor to drop event. Example: event.Cancel(); return; |
Tag(string) | Append a tag to thetags field if the tag does not already exist. Throws an exception iftags exists and is not a string or a list of strings.Example: event.Tag("user_event"); |
AppendTo(string, string) | AppendTo is a specializedPut method that converts the existing value to an array and appends the value if it does not already exist. If there is an existing value that’s not a string or array of strings then an exception is thrown.Example: event.AppendTo("error.message", "invalid file hash"); |