Add a warning about altering existing event fields by processors (#37459

) This is important to mention, since some of our processors rely on a certain event schema and pre-existing fields. So, these fields should not be removed or overwritten.
elastic · Jan 5, 2024 · 091da4e · 091da4e
1 parent 824dd04
commit 091da4e
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/libbeat/docs/processors.asciidoc b/libbeat/docs/processors.asciidoc
@@ -25,3 +25,5 @@ order they are defined in the {beatname_uc} configuration file.
 -------
 event -> processor 1 -> event1 -> processor 2 -> event2 ...
 -------
+
+IMPORTANT: It's recommended to do all drop and renaming of existing fields as the last step in a processor configuration. This is because dropping or renaming fields can remove data necessary for the next processor in the chain, for example dropping the `source.ip` field would remove one of the fields necessary for the `community_id` processor to function. If it's necessary to remove, rename or overwrite an existing event field, please make sure it's done by a corresponding processor (<<drop-fields,`drop_fields`>>, <<rename-fields,`rename`>> or <<add-fields, `add_fields`>>) placed at the end of the processor list defined in the input configuration.