Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Elastic Agent] Add processor conditional in or any #3574

Open
a03nikki opened this issue Oct 9, 2023 · 3 comments
Open

[Elastic Agent] Add processor conditional in or any #3574

a03nikki opened this issue Oct 9, 2023 · 3 comments
Assignees
@nimarezainia
Labels
enhancement New feature or request libbeat Team:Elastic-Agent Label for the Agent team

Comments

@a03nikki
Copy link

a03nikki commented Oct 9, 2023

Describe the enhancement:

Please add an "any" or "in" processor conditional.

Describe a specific use case for the enhancement or feature:

Currently the processor conditionals for both Agent and Beats have and, or, and equal. The original set of processors appear to be added by elastic/beats#1447. However, there is not an any or in conditional.

For example, currently a list of values to check on a processor would be constructed as

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
    processors:
      - drop_event.when.or:
        - equals:
            winlog.event_id: 0 
        - equals:
            winlog.event_id: 1
        - equals:
            winlog.event_id: 2
        - equals:
            winlog.event_id: 3

and it would be more intuitive and easier to maintain if it could be added similar to this

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
    processors:
      - drop_event.when:
        - in:
          -  winlog.event_id: [0, 1, 2, 3]

or

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
    processors:
      - drop_event.when:
        - any:
          -  winlog.event_id: [0, 1, 2, 3]

What is the definition of done?

There exists an easier way to provide a list of values to match a particular field against.
@a03nikki a03nikki added enhancement New feature or request libbeat labels Oct 9, 2023
@a03nikki a03nikki changed the title [Elastic Agent] Add conditional process "in" or "any" [Elastic Agent] Add processor conditional "in" or "any" Oct 9, 2023
@a03nikki a03nikki changed the title [Elastic Agent] Add processor conditional "in" or "any" [Elastic Agent] Add processor conditional in or any Oct 9, 2023
@pierrehilbert pierrehilbert added the Team:Elastic-Agent Label for the Agent team label Oct 10, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

@pierrehilbert
Copy link
Contributor

@nimarezainia what are your thoughts about this one? Make sense to me but would like your eyes on this.

@leehinman
Copy link
Contributor

Do the existingcontains and range meet your needs? https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#conditions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nimarezainia nimarezainia

Labels
enhancement New feature or request libbeat Team:Elastic-Agent Label for the Agent team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pierrehilbert @a03nikki @nimarezainia @elasticmachine @leehinman