Ingest processors help you change or organize data before saving it. They make data easier to search and understand.
{
"processors": [
{
"grok": {
"field": "message",
"patterns": ["%{COMMONAPACHELOG}"]
}
},
{
"date": {
"field": "timestamp",
"formats": ["dd/MMM/yyyy:HH:mm:ss Z"]
}
},
{
"rename": {
"field": "old_field_name",
"target_field": "new_field_name"
}
}
]
}The grok processor extracts data using patterns from text.
The date processor converts text to date format for better sorting and searching.
The rename processor changes field names to keep data clear.
{
"grok": {
"field": "log",
"patterns": ["%{IP:client} %{WORD:method} %{URIPATHPARAM:request}"]
}
}{
"date": {
"field": "event_time",
"formats": ["ISO8601"]
}
}{
"rename": {
"field": "temp",
"target_field": "temperature"
}
}This pipeline extracts fields from a common Apache log message, converts the timestamp to a date, and renames the client IP field to 'ip_address' for clarity.
{
"description": "Example pipeline using grok, date, and rename processors",
"processors": [
{
"grok": {
"field": "message",
"patterns": ["%{COMMONAPACHELOG}"]
}
},
{
"date": {
"field": "timestamp",
"formats": ["dd/MMM/yyyy:HH:mm:ss Z"]
}
},
{
"rename": {
"field": "clientip",
"target_field": "ip_address"
}
}
]
}Grok patterns are reusable templates to find parts of text easily.
Date formats must match the text exactly or the processor will fail.
Renaming helps keep your data consistent and easy to understand.
Ingest processors change data before saving it to make searching easier.
Grok extracts parts of text, date converts text to date, rename changes field names.
Use these processors together to clean and organize your data automatically.