Correct syntax to my filter

espacioint · March 29, 2019, 3:37pm

Hello,my name is Pablo, this is my first post so I ask for a bit a patience about me.. im new in elk.

I'm working with netflow.
I have many fields that Im not interested to store, so I can have less data on my elk.
Im trying to remove some field with mutate (is the only way that I found).

my code is this..

mutate {
remove => ["netflow.xlate_dst_port"]
}

I've tested many combinations but it seems that the field is not correctly defined by me.
So logstash stop processing the logs.
Only if I comment this it keep working.
Can someone tell me the correct syntax to do this works?
Thanks a lot to everybody.

A_B · March 29, 2019, 3:48pm

Hi @espacioint,

I find the Elastic documentation really good and full of great info. But it still takes some time to figure everything out

If you checkout the documentation for plugin-filter-mutate you will find that there is no remove. You should use remove_field. That should fix your problem.

Also, always check the documentation for the specific version you are using. My suggested fix is for version 6.6 (which I use). Looks like this has not changed in the latest version, which is 6.7.

espacioint · March 29, 2019, 4:01pm

Really thanks by your help.
You are right, in the documentation says depreciated...
I have changed to remove_field but still not working...

mutate {
remove_field => ["netflow.dst_mask","netflow.flowset_id"]
}

is there any other error there?
thanks for your time.

Badger · March 29, 2019, 4:10pm

Do you really have a period in your fieldname or do you mean

mutate { remove_field => ["[netflow][dst_mask]","[netflow][flowset_id]"] }

system · April 26, 2019, 4:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.