|
212 | 212 | "shape_type" |
213 | 213 | ] |
214 | 214 | }, |
| 215 | + "CommunityIDProcessor": { |
| 216 | + "properties": { |
| 217 | + "description": { |
| 218 | + "type": "string", |
| 219 | + "description": "Description of the processor. Useful for describing the purpose of the processor or its configuration." |
| 220 | + }, |
| 221 | + "if": { |
| 222 | + "type": "string", |
| 223 | + "description": "Conditionally execute the processor." |
| 224 | + }, |
| 225 | + "ignore_failure": { |
| 226 | + "type": "boolean", |
| 227 | + "description": "Ignore failures for the processor." |
| 228 | + }, |
| 229 | + "on_failure": { |
| 230 | + "items": { |
| 231 | + "$ref": "#/$defs/ProcessorContainer" |
| 232 | + }, |
| 233 | + "type": "array", |
| 234 | + "description": "Handle failures for the processor." |
| 235 | + }, |
| 236 | + "tag": { |
| 237 | + "type": "string", |
| 238 | + "description": "Identifier for the processor. Useful for debugging and metrics." |
| 239 | + }, |
| 240 | + "source_ip": { |
| 241 | + "type": "string", |
| 242 | + "description": "Field containing the source IP address." |
| 243 | + }, |
| 244 | + "source_port": { |
| 245 | + "type": "string", |
| 246 | + "description": "Field containing the source port." |
| 247 | + }, |
| 248 | + "destination_ip": { |
| 249 | + "type": "string", |
| 250 | + "description": "Field containing the destination IP address." |
| 251 | + }, |
| 252 | + "destination_port": { |
| 253 | + "type": "string", |
| 254 | + "description": "Field containing the destination port." |
| 255 | + }, |
| 256 | + "iana_number": { |
| 257 | + "type": "string", |
| 258 | + "description": "Field containing the IANA number." |
| 259 | + }, |
| 260 | + "icmp_type": { |
| 261 | + "type": "string", |
| 262 | + "description": "Field containing the ICMP type." |
| 263 | + }, |
| 264 | + "icmp_code": { |
| 265 | + "type": "string", |
| 266 | + "description": "Field containing the ICMP code." |
| 267 | + }, |
| 268 | + "transport": { |
| 269 | + "type": "string", |
| 270 | + "description": "Field containing the transport protocol name or number. Used only when the iana_number field is not present. The following protocol names are currently supported: eigrp, gre, icmp, icmpv6, igmp, ipv6-icmp, ospf, pim, sctp, tcp, udp." |
| 271 | + }, |
| 272 | + "target_field": { |
| 273 | + "type": "string", |
| 274 | + "description": "Output field for the community ID." |
| 275 | + }, |
| 276 | + "seed": { |
| 277 | + "type": "integer", |
| 278 | + "description": "Seed for the community ID hash. Must be between 0 and 65535 (inclusive). The seed can prevent hash collisions between network domains, such as a staging and production network that use the same addressing scheme." |
| 279 | + }, |
| 280 | + "ignore_missing": { |
| 281 | + "type": "boolean", |
| 282 | + "description": "If true and any required fields are missing, the processor quietly exits without modifying the document." |
| 283 | + } |
| 284 | + }, |
| 285 | + "additionalProperties": false, |
| 286 | + "type": "object" |
| 287 | + }, |
215 | 288 | "ConvertProcessor": { |
216 | 289 | "properties": { |
217 | 290 | "description": { |
|
432 | 505 | "timezone": { |
433 | 506 | "type": "string", |
434 | 507 | "description": "The timezone to use when parsing the date. Supports template snippets." |
| 508 | + }, |
| 509 | + "output_format": { |
| 510 | + "type": "string", |
| 511 | + "description": "The format to use when writing the date to target_field. Must be a valid java time pattern." |
435 | 512 | } |
436 | 513 | }, |
437 | 514 | "additionalProperties": false, |
|
661 | 738 | "message" |
662 | 739 | ] |
663 | 740 | }, |
| 741 | + "FingerprintProcessor": { |
| 742 | + "properties": { |
| 743 | + "description": { |
| 744 | + "type": "string", |
| 745 | + "description": "Description of the processor. Useful for describing the purpose of the processor or its configuration." |
| 746 | + }, |
| 747 | + "if": { |
| 748 | + "type": "string", |
| 749 | + "description": "Conditionally execute the processor." |
| 750 | + }, |
| 751 | + "ignore_failure": { |
| 752 | + "type": "boolean", |
| 753 | + "description": "Ignore failures for the processor." |
| 754 | + }, |
| 755 | + "on_failure": { |
| 756 | + "items": { |
| 757 | + "$ref": "#/$defs/ProcessorContainer" |
| 758 | + }, |
| 759 | + "type": "array", |
| 760 | + "description": "Handle failures for the processor." |
| 761 | + }, |
| 762 | + "tag": { |
| 763 | + "type": "string", |
| 764 | + "description": "Identifier for the processor. Useful for debugging and metrics." |
| 765 | + }, |
| 766 | + "fields": { |
| 767 | + "description": "Array of fields to include in the fingerprint. For objects, the processor hashes both the field key and value. For other fields, the processor hashes only the field value. Required." |
| 768 | + }, |
| 769 | + "target_field": { |
| 770 | + "type": "string", |
| 771 | + "description": "Output field for the fingerprint." |
| 772 | + }, |
| 773 | + "salt": { |
| 774 | + "type": "string", |
| 775 | + "description": "Salt value for the hash function." |
| 776 | + }, |
| 777 | + "method": { |
| 778 | + "type": "string", |
| 779 | + "description": "The hash method used to compute the fingerprint. Must be one of MD5, SHA-1, SHA-256, SHA-512, or MurmurHash3." |
| 780 | + }, |
| 781 | + "ignore_missing": { |
| 782 | + "type": "boolean", |
| 783 | + "description": "If true, the processor ignores any missing fields. If all fields are missing, the processor silently exits without modifying the document." |
| 784 | + } |
| 785 | + }, |
| 786 | + "additionalProperties": false, |
| 787 | + "type": "object", |
| 788 | + "required": [ |
| 789 | + "fields" |
| 790 | + ] |
| 791 | + }, |
664 | 792 | "ForeachProcessor": { |
665 | 793 | "properties": { |
666 | 794 | "description": { |
|
863 | 991 | "type": "string", |
864 | 992 | "description": "Identifier for the processor. Useful for debugging and metrics." |
865 | 993 | }, |
| 994 | + "ecs_compatibility": { |
| 995 | + "type": "string", |
| 996 | + "description": "Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names." |
| 997 | + }, |
866 | 998 | "field": { |
867 | 999 | "type": "string", |
868 | 1000 | "description": "The field to use for grok expression parsing. Required." |
|
1325 | 1457 | "Metadata": { |
1326 | 1458 | "type": "object" |
1327 | 1459 | }, |
| 1460 | + "NetworkDirectionProcessor": { |
| 1461 | + "properties": { |
| 1462 | + "description": { |
| 1463 | + "type": "string", |
| 1464 | + "description": "Description of the processor. Useful for describing the purpose of the processor or its configuration." |
| 1465 | + }, |
| 1466 | + "if": { |
| 1467 | + "type": "string", |
| 1468 | + "description": "Conditionally execute the processor." |
| 1469 | + }, |
| 1470 | + "ignore_failure": { |
| 1471 | + "type": "boolean", |
| 1472 | + "description": "Ignore failures for the processor." |
| 1473 | + }, |
| 1474 | + "on_failure": { |
| 1475 | + "items": { |
| 1476 | + "$ref": "#/$defs/ProcessorContainer" |
| 1477 | + }, |
| 1478 | + "type": "array", |
| 1479 | + "description": "Handle failures for the processor." |
| 1480 | + }, |
| 1481 | + "tag": { |
| 1482 | + "type": "string", |
| 1483 | + "description": "Identifier for the processor. Useful for debugging and metrics." |
| 1484 | + }, |
| 1485 | + "source_ip": { |
| 1486 | + "type": "string", |
| 1487 | + "description": "Field containing the source IP address." |
| 1488 | + }, |
| 1489 | + "destination_ip": { |
| 1490 | + "type": "string", |
| 1491 | + "description": "Field containing the destination IP address." |
| 1492 | + }, |
| 1493 | + "target_field": { |
| 1494 | + "type": "string", |
| 1495 | + "description": "Output field for the network direction." |
| 1496 | + }, |
| 1497 | + "internal_networks": { |
| 1498 | + "items": { |
| 1499 | + "type": "string" |
| 1500 | + }, |
| 1501 | + "type": "array", |
| 1502 | + "description": "List of internal networks. Supports IPv4 and IPv6 addresses and ranges in CIDR notation. Also supports the named ranges listed below. These may be constructed with template snippets. Must specify only one of internal_networks or internal_networks_field." |
| 1503 | + }, |
| 1504 | + "internal_networks_field": { |
| 1505 | + "type": "string", |
| 1506 | + "description": "A field on the given document to read the internal_networks configuration from." |
| 1507 | + }, |
| 1508 | + "ignore_missing": { |
| 1509 | + "type": "boolean", |
| 1510 | + "description": "If true and any required fields are missing, the processor quietly exits without modifying the document." |
| 1511 | + } |
| 1512 | + }, |
| 1513 | + "additionalProperties": false, |
| 1514 | + "type": "object" |
| 1515 | + }, |
1328 | 1516 | "Pipeline": { |
1329 | 1517 | "properties": { |
1330 | 1518 | "description": { |
|
1419 | 1607 | "$ref": "#/$defs/CircleProcessor", |
1420 | 1608 | "description": "Converts circle definitions of shapes to regular polygons which approximate them." |
1421 | 1609 | }, |
| 1610 | + "community_id": { |
| 1611 | + "$ref": "#/$defs/CommunityIDProcessor", |
| 1612 | + "description": "Computes the Community ID for network flow data as defined in the Community ID Specification. You can use a community ID to correlate network events related to a single flow." |
| 1613 | + }, |
1422 | 1614 | "convert": { |
1423 | 1615 | "$ref": "#/$defs/ConvertProcessor", |
1424 | 1616 | "description": "Converts a field in the currently ingested document to a different type, such as converting a string to an integer. If the field value is an array, all members will be converted." |
|
1455 | 1647 | "$ref": "#/$defs/FailProcessor", |
1456 | 1648 | "description": "Raises an exception. This is useful for when you expect a pipeline to fail and want to relay a specific message to the requester." |
1457 | 1649 | }, |
| 1650 | + "fingerprint": { |
| 1651 | + "$ref": "#/$defs/FingerprintProcessor", |
| 1652 | + "description": "Computes a hash of the document’s content. You can use this hash for content fingerprinting." |
| 1653 | + }, |
1458 | 1654 | "foreach": { |
1459 | 1655 | "$ref": "#/$defs/ForeachProcessor", |
1460 | 1656 | "description": "Runs an ingest processor on each element of an array or object." |
|
1499 | 1695 | "$ref": "#/$defs/LowercaseProcessor", |
1500 | 1696 | "description": "Converts a string to its lowercase equivalent. If the field is an array of strings, all members of the array will be converted." |
1501 | 1697 | }, |
| 1698 | + "network_direction": { |
| 1699 | + "$ref": "#/$defs/NetworkDirectionProcessor", |
| 1700 | + "description": "Calculates the network direction given a source IP address, destination IP address, and a list of internal networks." |
| 1701 | + }, |
1502 | 1702 | "pipeline": { |
1503 | 1703 | "$ref": "#/$defs/PipelineProcessor", |
1504 | 1704 | "description": "Executes another pipeline." |
|
1507 | 1707 | "$ref": "#/$defs/RedactProcessor", |
1508 | 1708 | "description": "The Redact processor uses the Grok rules engine to obscure text in the input document matching the given Grok patterns. The processor can be used to obscure Personal Identifying Information (PII) by configuring it to detect known patterns such as email or IP addresses. Text that matches a Grok pattern is replaced with a configurable string such as `\u003cEMAIL\u003e` where an email address is matched or simply replace all matches with the text `\u003cREDACTED\u003e` if preferred." |
1509 | 1709 | }, |
| 1710 | + "registered_domain": { |
| 1711 | + "$ref": "#/$defs/RegisteredDomainProcessor", |
| 1712 | + "description": "Extracts the registered domain (also known as the effective top-level domain or eTLD), sub-domain, and top-level domain from a fully qualified domain name (FQDN). Uses the registered domains defined in the Mozilla Public Suffix List." |
| 1713 | + }, |
1510 | 1714 | "remove": { |
1511 | 1715 | "$ref": "#/$defs/RemoveProcessor", |
1512 | 1716 | "description": "Removes existing fields. If one field doesn’t exist, an exception will be thrown." |
|
1637 | 1841 | "patterns" |
1638 | 1842 | ] |
1639 | 1843 | }, |
| 1844 | + "RegisteredDomainProcessor": { |
| 1845 | + "properties": { |
| 1846 | + "description": { |
| 1847 | + "type": "string", |
| 1848 | + "description": "Description of the processor. Useful for describing the purpose of the processor or its configuration." |
| 1849 | + }, |
| 1850 | + "if": { |
| 1851 | + "type": "string", |
| 1852 | + "description": "Conditionally execute the processor." |
| 1853 | + }, |
| 1854 | + "ignore_failure": { |
| 1855 | + "type": "boolean", |
| 1856 | + "description": "Ignore failures for the processor." |
| 1857 | + }, |
| 1858 | + "on_failure": { |
| 1859 | + "items": { |
| 1860 | + "$ref": "#/$defs/ProcessorContainer" |
| 1861 | + }, |
| 1862 | + "type": "array", |
| 1863 | + "description": "Handle failures for the processor." |
| 1864 | + }, |
| 1865 | + "tag": { |
| 1866 | + "type": "string", |
| 1867 | + "description": "Identifier for the processor. Useful for debugging and metrics." |
| 1868 | + }, |
| 1869 | + "field": { |
| 1870 | + "type": "string", |
| 1871 | + "description": "Field containing the source FQDN. Required." |
| 1872 | + }, |
| 1873 | + "target_field": { |
| 1874 | + "type": "string", |
| 1875 | + "description": "Object field containing extracted domain components. If an empty string, the processor adds components to the document’s root." |
| 1876 | + }, |
| 1877 | + "ignore_missing": { |
| 1878 | + "type": "boolean", |
| 1879 | + "description": "If true and any required fields are missing, the processor quietly exits without modifying the document." |
| 1880 | + } |
| 1881 | + }, |
| 1882 | + "additionalProperties": false, |
| 1883 | + "type": "object", |
| 1884 | + "required": [ |
| 1885 | + "field" |
| 1886 | + ] |
| 1887 | + }, |
1640 | 1888 | "RemoveProcessor": { |
1641 | 1889 | "properties": { |
1642 | 1890 | "description": { |
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments