From 32d2ba068c31299d99a25544542b462290a9f95f Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Mon, 8 Jan 2024 09:09:09 +0100
Subject: [PATCH] Add a warning about altering existing event fields by
 processors (#37459) (#37566)

This is important to mention, since some of our processors rely on a
certain event schema and pre-existing fields. So, these fields should
not be removed or overwritten.

(cherry picked from commit 091da4e3cc21b04497ac6ca9d4cdd2ddfd93fd52)

Co-authored-by: Denis <denis.rechkunov@elastic.co>
---
 libbeat/docs/processors.asciidoc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libbeat/docs/processors.asciidoc b/libbeat/docs/processors.asciidoc
index f4fda6c50f7c..fc91b31a49af 100644
--- a/libbeat/docs/processors.asciidoc
+++ b/libbeat/docs/processors.asciidoc
@@ -25,3 +25,5 @@ order they are defined in the {beatname_uc} configuration file.
 -------
 event -> processor 1 -> event1 -> processor 2 -> event2 ...
 -------
+
+IMPORTANT: It's recommended to do all drop and renaming of existing fields as the last step in a processor configuration. This is because dropping or renaming fields can remove data necessary for the next processor in the chain, for example dropping the `source.ip` field would remove one of the fields necessary for the `community_id` processor to function. If it's necessary to remove, rename or overwrite an existing event field, please make sure it's done by a corresponding processor (<<drop-fields,`drop_fields`>>, <<rename-fields,`rename`>> or <<add-fields, `add_fields`>>) placed at the end of the processor list defined in the input configuration.