Processors

Processors wrap a source and transform events before they reach destinations. They let you parse, extract, and enrich log data on the host before it leaves the machine.

How processors work

A processor is configured as a source with a nested source inside it. The inner source collects the raw events, and the processor transforms them:

{
  "sources": {
    "parsed-logs": {
      "type": "refine",
      "source": {
        "type": "journald"
      },
      "rules": [...]
    }
  }
}

The outer source ("refine") wraps the inner source ("journald"), applying transformations to every event before it reaches destinations.

Available processors

Processor	Type	Description
Refine	`refine`	Rule-based field matching and extraction
KV	`kv`	Parse key-value pairs from log lines
Regex	`regex`	Extract fields using named capture groups

Chaining processors

Processors can be nested to apply multiple transformations:

{
  "sources": {
    "enriched": {
      "type": "refine",
      "source": {
        "type": "kv",
        "source": {
          "type": "file",
          "path": "/var/log/app/",
          "extension": ".log"
        },
        "rules": [...]
      },
      "rules": [...]
    }
  }
}

Processors

How processors work

Available processors

Chaining processors

On this page