- Packetbeat Reference: other versions:
- Overview
- Getting started with Packetbeat
- Setting up and running Packetbeat
- Upgrading Packetbeat
- Configuring Packetbeat
- Set traffic capturing options
- Set up flows to monitor network traffic
- Specify which transaction protocols to monitor
- Specify which processes to monitor
- Specify general settings
- Configure the internal queue
- Configure the output
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Export GeoIP Information
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- HTTP Endpoint
- packetbeat.reference.yml
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DHCPv4 fields
- DNS fields
- Docker fields
- Flow Event fields
- Host fields
- HTTP fields
- ICMP fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Raw fields
- Redis fields
- Thrift-RPC fields
- TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitoring Packetbeat
- Securing Packetbeat
- Visualizing Packetbeat data in Kibana
- Troubleshooting
- Contributing to Beats
IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Filter and enhance the exported data
editFilter and enhance the exported data
editYou can define processors in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:
- reducing the number of exported fields
- enhancing events with additional metadata
- performing additional processing and decoding
Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Packetbeat configuration file.
event -> processor 1 -> event1 -> processor 2 -> event2 ...
For example, the following configuration includes a subset of the Packetbeat DNS fields so that only the requests and their response codes are reported:
processors: - include_fields: fields: - bytes_in - bytes_out - ip - client_ip - dns.question.name - dns.question.etld_plus_one - dns.response_code
The filtered event would look something like this:
{ "@timestamp": "2016-03-28T14:48:21.732Z", "bytes_in": 32, "bytes_out": 48, "client_ip": "192.168.10.111", "dns": { "question": { "etld_plus_one": "google.com.", "name": "www.google.com." }, "response_code": "NOERROR" }, "ip": "8.8.8.8", "type": "dns" }
If you would like to drop all the successful transactions, you can use the following configuration:
processors: - drop_event: when: equals: http.response.code: 200
If you don’t want to export raw data for the successful transactions:
processors: - drop_fields: when: equals: http.response.code: 200 fields: ["request", "response"]
Was this helpful?
Thank you for your feedback.