newterm

This processor matches when a new value appears in a field that has never been seen before.

Synopsys

newterm {
    # The name of the field to use to compare to terms list.
    # If the field is null, those events will be ignored.
    compare_field => "message"

}

Available settings

Setting Type Info Default value
compare_field string required ""
ignore_missing bool true
terms array []

Common Options

Details

compare_field

  • This is a required setting
  • Value type is string
  • Default value is ""
  • The name of the field to use to compare to terms list. If the field is null, those events will be ignored.

    ignore_missing

  • Value type is bool
  • Default value is true
  • If true, events without a compare_field field will be ignored.

    terms

  • Value type is array
  • Default value is []
  • A list of initial terms to consider now new. The compare_field term must be in this list or else it will match.

    Full configuration blueprint

    Expand me...