Can not remove "tags" field?

agrm · November 23, 2016, 9:54pm

I have the following pipe configuration (See bellow). It removes all additional fields except "tags". I am using the latest elasticsearch and logstash software. What could be wrong that it does not remove "tage"?

input
{
udp
{
port => 6789
codec => "json"
}
}

filter
{
if [CLIENT_DATA]
{
grok
{
match => { "@timestamp" => "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}T%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}." }
}

 mutate
 {
    add_field => { "pc_received_date" => "%{year}-%{month}-%{day} %{hour}:%{minute}:%{second}" }

    add_field => { "pc_name" => "my_pc_name" }

    remove_field => [ "@version" , "tags" , "host" , "CLIENT_DATA" , "year" , "month" , "day" , "hour" , "minute" , "second" , "@timestamp"]
 }

}
else
{
drop {}
}
}

output
{
elasticsearch
{
hosts => ["localhost:9200"]
codec => "json"
}

stdout { codec => rubydebug }

}

system · December 21, 2016, 9:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.