Cannot drop fields from checkpoint filebeat module

lachezar.uzunov · February 26, 2021, 11:31am

Hello everyone, I am using filebeat checkpoint module and want to reduce the log size of the logs, cutting fields like destination.geo.city.name.

My /etc/filebeat/filebeat.yml contains:

    - drop_fields:
           when:
               equals:
                  event.module: "checkpoint"
     
           fields: ["destination.geo.city.name"]

The same syntax is working fine for other filebeat modules such as imperva.

drop_event is also working fine but drop_fields is not dropping anything at all.
Tried as well as with fields: ["destination.geo.city.name.keyword"] but failed as well

Any ideas?

system · March 26, 2021, 1:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't drop field in checkpoint filebeat module Beats beats-module , filebeat	3	298	February 20, 2024
Certain fields in "drop_fields" are not dropped Beats filebeat	1	112	April 16, 2024
How to drop the fields that Filebeat normally adds (type, source, offset, etc.) Beats filebeat	7	650	September 5, 2018
Filebeat 7.16 drop_fields processor not working Beats filebeat	1	251	June 14, 2022
Winlogbeat beta 5 - not dropping fields Beats winlogbeat	2	979	October 24, 2016

Cannot drop fields from checkpoint filebeat module

Related topics