Beat processor drop fields

ajhstn · July 25, 2019, 9:42am

Hello - what would the best way to "drop all message fields, except for x or y o z"?

I want to start by dropping the message field for all events, but then only include it on a few using a when.or condition?

ajhstn · July 25, 2019, 9:48am

can i do something like this?

- drop_fields:
  fields:
    message
- add_fields:
    when:
      or:
        - equals: 
            winlog.event_id: 1
        - equals: 
            winlog.event_id: 2
        - equals: 
            winlog.event_id: 3
  fields:
    message

ajhstn · August 11, 2019, 3:50am

Any clues on how to drop all message fields by default, except when eventid = 1 or 2 or 3 etc?

andrewkroh · August 12, 2019, 3:16am

processors:
- drop_fields:
    fields: [message]
    when.not.or:
      - equals.winlog.event_id: 1
      - equals.winlog.event_id: 2
      - equals.winlog.event_id: 3

Give that a try. I didn't test it myself.

system · September 9, 2019, 3:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat - Need Help with Drop_fields Beats winlogbeat	4	504	January 14, 2022
Winlogbeat beta 5 - not dropping fields Beats winlogbeat	2	979	October 24, 2016
Winlogbeat and drop_event filter Beats winlogbeat	5	4946	May 9, 2017
Unable to drop events Beats winlogbeat	6	986	June 28, 2018
Winlogbeat - drop_event (multiple event ID's with specific rules) Beats winlogbeat	6	1179	November 18, 2020

Beat processor drop fields

Related topics