search

elastic / elastic-agent

Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.
Other
22 stars 143 forks source link

[Elastic Agent] Add processor conditional `in` or `any` #3574

Open a03nikki opened 1 year ago

a03nikki commented 1 year ago

Describe the enhancement:

Please add an "any" or "in" processor conditional.

Describe a specific use case for the enhancement or feature:

Currently the processor conditionals for both Agent and Beats have and, or, and equal. The original set of processors appear to be added by https://github.com/elastic/beats/issues/1447. However, there is not an any or in conditional.

For example, currently a list of values to check on a processor would be constructed as

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
    processors:
      - drop_event.when.or:
        - equals:
            winlog.event_id: 0 
        - equals:
            winlog.event_id: 1
        - equals:
            winlog.event_id: 2
        - equals:
            winlog.event_id: 3

and it would be more intuitive and easier to maintain if it could be added similar to this

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
    processors:
      - drop_event.when:
        - in:
          -  winlog.event_id: [0, 1, 2, 3]

or

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
    processors:
      - drop_event.when:
        - any:
          -  winlog.event_id: [0, 1, 2, 3]

What is the definition of done?

There exists an easier way to provide a list of values to match a particular field against.

elasticmachine commented 1 year ago

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

pierrehilbert commented 1 year ago

@nimarezainia what are your thoughts about this one? Make sense to me but would like your eyes on this.

leehinman commented 1 year ago

Do the existingcontains and range meet your needs? https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#conditions