Cann't use custom fields as a condition to drop fields

Yaohua · July 24, 2017, 10:18am

This is my config

filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/xaa
  fields:
    Host: ${HOSTNAME}
  fields_under_root: true
  document_type: nginx
  tags: test
  exclude_lines: ['GET / HTTP/1.1"']
processors:
- drop_fields.when:
    - contains:
      - Host: 'vm1'
        - fields:
          - "beat"
          - "offset"

I use filebeat -c /etc/filebeat/filebeat.yml -path.logs /var/log/filebeat/ -path.data /var/lib/filebeat/ -configtest
The filebeat output

filebeat2017/07/24 10:12:14.974970 beat.go:339: CRIT Exiting: error loading config file: yaml: line 25: did not find expected key
Exiting: error loading config file: yaml: line 25: did not find expected key

tudor · July 24, 2017, 12:14pm

Try this:

processors:
- drop_fields:
    fields: ["beat", "offset"]
    when.contains.host: "vm1"

I didn't test, but that's how I would write it.

Yaohua · July 25, 2017, 1:49am

it's work.thanks.

system · August 22, 2017, 1:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat didn't drop some of the fields Beats filebeat	2	3993	June 19, 2017
How to fix host issue in filebeat-7.17.4 without drop_fields Beats filebeat	4	313	July 15, 2022
Unable to Drop desired fields using drop_fields processors in filebeat Beats filebeat	3	1286	March 26, 2021
Drop_fields Beats filebeat	3	234	May 13, 2023
Using processor in Filebeat Nginx module Beats beats-module , filebeat	3	993	March 5, 2021

Cann't use custom fields as a condition to drop fields

Related Topics