47 lines
1.7 KiB
Plaintext
47 lines
1.7 KiB
Plaintext
[[transform-chain]]
|
|
=== Chain Transform
|
|
|
|
A <<transform, Transform>> that executes an ordered list of configured transforms
|
|
in a chain, where the output of one transform serves as the input of the next
|
|
transform in the chain. The payload that is accepted by this transform serves as
|
|
the input of the first transform in the chain and the output of the last transform
|
|
in the chain is the output of the `chain` transform as a whole.
|
|
|
|
You can use chain transforms to build more complex transforms out of the other
|
|
available transforms. For example, you can combine a <<transform-search, `search`>>
|
|
transform and a <<transform-script, `script`>> transform, as shown in the
|
|
following snippet:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
"transform" : {
|
|
"chain" : [ <1>
|
|
{
|
|
"search" : { <2>
|
|
"indices" : [ "logstash-*" ],
|
|
"body" : {
|
|
"size" : 0,
|
|
"query" : {
|
|
"match" : { "priority" : "error" }
|
|
}
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"script" : "return [ error_count : ctx.payload.hits.total ]" <3>
|
|
}
|
|
]
|
|
}
|
|
--------------------------------------------------
|
|
// NOTCONSOLE
|
|
<1> The `chain` transform definition
|
|
<2> The first transform in the chain (in this case, a `search` transform)
|
|
<3> The second and final transform in the chain (in this case, a `script`
|
|
transform)
|
|
|
|
This example executes a `count` search on the cluster to look for `error` events.
|
|
The search results are then passed to the second `script` transform. The `script`
|
|
transform extracts the total hit count and assigns it to the `error_count` field
|
|
in a newly-generated payload. This new payload is the output of the `chain`
|
|
transform and replaces the payload in the watch execution context.
|