43 lines
1.7 KiB
Plaintext
43 lines
1.7 KiB
Plaintext
[[transform-chain]]
|
|
==== Chain Transform
|
|
|
|
A <<transform, Transform>> that executes an ordereed list of configured transforms in a chain, where
|
|
the output of one transform serves as the input of the next transform in the chain. The payload that is
|
|
accepted by this transform serves as the input of the first transform in the chain and the output of the last
|
|
transform in the chain is the output of the `chain` transform as a whole.
|
|
|
|
You can use chain transforms to build more complex transforms out of the other available transforms. For example,
|
|
you can combine a <<transform-search, `search`>> transform and a <<transform-script, `script`>> transform,
|
|
as shown in the following snippet:
|
|
|
|
[source,json]
|
|
--------------------------------------------------
|
|
"transform" : {
|
|
"chain" : [ <1>
|
|
{
|
|
"search" : { <2>
|
|
"search_type" : "count",
|
|
"indices" : [ "logstash-*" ],
|
|
"body" : {
|
|
"query" : {
|
|
"match" : { "priority" : "error" }
|
|
}
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"script" : "return [ error_count : ctx.payload.hits.total ]" <3>
|
|
}
|
|
]
|
|
}
|
|
--------------------------------------------------
|
|
|
|
<1> The `chain` transform definition
|
|
<2> The first transform in the chain (in this case, a `search` transform)
|
|
<3> The second and final transform in the chain (in this case, a `script` transform)
|
|
|
|
This example executes a `count` search on the cluster to look for `error` events. The
|
|
search results are then passed to the second `script` transform. The `script` transform
|
|
extracts the total hit count and assigns it to the `error_count` field in a newly-generated payload.
|
|
This newly-generated payload is the output of the `chain` transform and replaces the
|
|
payload in the watch execution context. |