Cann't use custom fields as a condition to drop fields

Yaohua · July 24, 2017, 10:18am

This is my config

filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/xaa
  fields:
    Host: ${HOSTNAME}
  fields_under_root: true
  document_type: nginx
  tags: test
  exclude_lines: ['GET / HTTP/1.1"']
processors:
- drop_fields.when:
    - contains:
      - Host: 'vm1'
        - fields:
          - "beat"
          - "offset"

I use filebeat -c /etc/filebeat/filebeat.yml -path.logs /var/log/filebeat/ -path.data /var/lib/filebeat/ -configtest
The filebeat output

filebeat2017/07/24 10:12:14.974970 beat.go:339: CRIT Exiting: error loading config file: yaml: line 25: did not find expected key
Exiting: error loading config file: yaml: line 25: did not find expected key

tudor · July 24, 2017, 12:14pm

Try this:

processors:
- drop_fields:
    fields: ["beat", "offset"]
    when.contains.host: "vm1"

I didn't test, but that's how I would write it.

Yaohua · July 25, 2017, 1:49am

it's work.thanks.

system · August 22, 2017, 1:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat didn't drop some of the fields Beats filebeat	2	4016	June 19, 2017
Filebeat drop_event has_fields condition Beats filebeat	2	2972	May 30, 2019
Filebeat drop_event Beats filebeat	2	4017	July 5, 2017
Drop events if a field does not exist Beats filebeat	2	2206	January 8, 2018
Drop multiple fields with regex on field names using filebeat Beats filebeat	5	3131	December 27, 2017

Cann't use custom fields as a condition to drop fields

Related topics