File: //usr/share/filebeat/module/elasticsearch/deprecation/ingest/pipeline.yml
description: Pipeline for parsing elasticsearch deprecation logs
processors:
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
- set:
copy_from: "@timestamp"
field: event.created
- grok:
field: message
patterns:
- ^%{CHAR:first_char}
pattern_definitions:
CHAR: .
- pipeline:
if: ctx.first_char != '{'
name: '{< IngestPipeline "pipeline-plaintext" >}'
- pipeline:
if: ctx.first_char == '{'
name: '{< IngestPipeline "pipeline-json" >}'
- set:
field: event.kind
value: event
- set:
field: event.category
value: database
- set:
field: event.type
value: info
- set:
field: host.id
value: "{{elasticsearch.node.id}}"
ignore_empty_value: true
- set:
field: host.name
value: "{{elasticsearch.node.name}}"
ignore_empty_value: true
- remove:
field:
- elasticsearch.deprecation.timestamp
- elasticsearch.deprecation.@timestamp
ignore_missing: true
- remove:
field:
- first_char
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'