Add fields
The add_fields processor adds fields to the event. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. The add_fields processor overwrites the target field if it already exists. By default, the fields that you specify are grouped under the fields sub-dictionary in the event. To group the fields under a different sub-dictionary, use the target setting. To store the fields as top-level fields, set target: ''.
This configuration:
- add_fields:
target: project
fields:
name: myproject
id: '574734885120952459'
Adds these fields to any event:
{
"project": {
"name": "myproject",
"id": "574734885120952459"
}
}
This configuration alters the event metadata:
- add_fields:
target: '@metadata'
fields:
op_type: "index"
When the event is ingested by Elasticsearch, the document will have op_type: "index" set as a metadata field.
Elastic Agent processors execute before ingest pipelines, which means that they process the raw event data rather than the final event sent to Elasticsearch. For related limitations, refer to What are some limitations of using processors?
| Name | Required | Default | Description |
|---|---|---|---|
target |
No | fields |
Sub-dictionary to put all fields into. Set target to @metadata to add values to the event metadata instead of fields. |
fields |
Yes | Fields to be added. |