Refine processor
The refine processor applies rule-based matching to events and extracts or sets fields based on conditions. Use it to route different log types to different source types, or to extract structured fields from raw log data.
Configuration
Options
| Option | Type | Description |
|---|---|---|
source | object | Required. Nested source configuration |
rules | array | Required. List of matching and extraction rules |
Rule structure
Each rule has a match array and an extract array:
| Field | Type | Description |
|---|---|---|
match[].path | string | JSONPath to the field to match (e.g. "rawLog.SYSLOG_IDENTIFIER") |
match[].value | string | Value to match exactly |
extract[].to | string | Destination field name (e.g. "sourceType", "service.name") |
extract[].from | string | Source JSONPath to extract from |
All conditions in a rule's match array must be true (AND logic) for the extraction to apply. Rules are evaluated sequentially.