Certain fields in "drop_fields" are not dropped

hjazz6 · March 19, 2024, 6:07am

Hi,

I'm trying to drop certain fields using filebeat's drop_fields processor, so that they will not be indexed to my Elasticsearch. I'm using version 8.8.0 for both filebeat and elasticsearch.

Most of the fields specified in the drop_fields array are dropped, but a few are not, e.g. source.geo.city_name, destination.geo.location.lon, and network.direction. Except for network.direction, all the field names that were dropped only have one period in them, e.g. abc.def.

A portion of the relevant configuration in filebeat.yml is

processors:
    - drop_fields:
          fields: ["destination.bytes", "destination.geo.location.lon", "ecs.version", "source.bytes", "source.geo.city_name", "network.direction", "source.packets"]

Why are some of these fields not dropped?

Thank you.

system · April 16, 2024, 8:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat didn't drop some of the fields Beats filebeat	2	3994	June 19, 2017
Unable to Drop desired fields using drop_fields processors in filebeat Beats filebeat	3	1291	March 26, 2021
Filebeat drop_fields processors module does not work Beats filebeat	1	259	December 14, 2021
Drop_fields Beats filebeat	3	234	May 13, 2023
How to remove certain fields from filebeat index Beats filebeat	6	5761	August 27, 2020

Certain fields in "drop_fields" are not dropped

Related topics