From 091da4e3cc21b04497ac6ca9d4cdd2ddfd93fd52 Mon Sep 17 00:00:00 2001 From: Denis Date: Fri, 5 Jan 2024 19:46:19 +0000 Subject: [PATCH] Add a warning about altering existing event fields by processors (#37459) This is important to mention, since some of our processors rely on a certain event schema and pre-existing fields. So, these fields should not be removed or overwritten. --- libbeat/docs/processors.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libbeat/docs/processors.asciidoc b/libbeat/docs/processors.asciidoc index f4fda6c50f7c..fc91b31a49af 100644 --- a/libbeat/docs/processors.asciidoc +++ b/libbeat/docs/processors.asciidoc @@ -25,3 +25,5 @@ order they are defined in the {beatname_uc} configuration file. ------- event -> processor 1 -> event1 -> processor 2 -> event2 ... ------- + +IMPORTANT: It's recommended to do all drop and renaming of existing fields as the last step in a processor configuration. This is because dropping or renaming fields can remove data necessary for the next processor in the chain, for example dropping the `source.ip` field would remove one of the fields necessary for the `community_id` processor to function. If it's necessary to remove, rename or overwrite an existing event field, please make sure it's done by a corresponding processor (<>, <> or <>) placed at the end of the processor list defined in the input configuration.