andrewkroh · March 10, 2023 15:04
diff --git a/beat.yml b/beat.yml
 processors:
  - script:
      # This uses a Beat script processor to include only ipv4 addresses
      # in the host.ip field. This would need to placed after the add_host_metadata
      # processor.
      #
      # It would be a lot more efficient to have add_host_metadata allow controlling
      # what addresses were included because this has to execute for every event.
      #
      # References:
      # https://www.elastic.co/guide/en/beats/filebeat/current/processor-script.html
      lang: javascript
      id: include-ipv4
      source: |
        var net = require('net');
        function process(evt) {
          var ips = evt.Get('host.ip');
          if (!Array.isArray(ips) || ips.length == 0) {
            return;
          }

          var ipv4s = [];
          for (var i = 0; i < ips.length; i++) {
            var ip = ips[i];
            if (net.isIPv4(ip)) {
              ipv4s.push(ip);
            }
          }
          evt.Put('host.ip', ipv4s);
        }
	processors:
	- script:
	# This uses a Beat script processor to include only ipv4 addresses
	# in the host.ip field. This would need to placed after the add_host_metadata
	# processor.
	#
	# It would be a lot more efficient to have add_host_metadata allow controlling
	# what addresses were included because this has to execute for every event.
	#
	# References:
	# https://www.elastic.co/guide/en/beats/filebeat/current/processor-script.html
	lang: javascript
	id: include-ipv4
	source: \|
	var net = require('net');
	function process(evt) {
	var ips = evt.Get('host.ip');
	if (!Array.isArray(ips) \|\| ips.length == 0) {
	return;
	}

	var ipv4s = [];
	for (var i = 0; i < ips.length; i++) {
	var ip = ips[i];
	if (net.isIPv4(ip)) {
	ipv4s.push(ip);
	}
	}
	evt.Put('host.ip', ipv4s);
	}