Redact processor
The Redact processor redacts sensitive data in a string field by matching grok patterns and replacing the matched content with a placeholder.
To redact sensitive information:
- Select Create → Create processor.
- Select Redact from the Processor menu.
- Set the Source Field to the field containing text you want to redact.
- Set the Patterns to one or more grok patterns that match sensitive data (for example, IP addresses or email addresses).
This functionality uses the Elasticsearch Redact processor internally, but you configure it in Streamlang. Streamlang doesn't always have 1:1 parity with the ingest processor options and behavior. Refer to Processor limitations and inconsistencies.
In YAML mode, configure the redact processor using the following parameters. For the complete Streamlang syntax, refer to the Streamlang reference.
| Parameter | Type | Required | Description |
|---|---|---|---|
from |
string | Yes | Source field to redact. |
patterns |
string[] | Yes | Grok patterns that match sensitive data. |
pattern_definitions |
object | No | Custom pattern definitions. |
prefix |
string | No | Prefix for the redacted placeholder. Defaults to <. |
suffix |
string | No | Suffix for the redacted placeholder. Defaults to >. |
ignore_missing |
boolean | No | When true, skip this processor if the source field is missing. Defaults to true. |
- action: redact
from: body.message
patterns:
- "%{IP:client_ip}"
- "%{EMAILADDRESS:email}"