Hello,
when processing particular events by filters i would like sometimes to create new event with one attribute same as in original event (and store this new event into other elastic search index for further terms lookup querying).
My idea is to create new event and add required field from original event.
Can it be done using some existing filters? I could use clone filter, but i don't want to manually delete tens of attributes from original event.
Thank you very much for help!
I've created a PR to add a keep option to the mutate filter. The idea is that instead of specifying fields to remove, you just specify the fields you'd like to keep. If you use the clone filter along with that, it should be relatively simple.
You can find it here: https://github.com/logstash-plugins/logstash-filter-mutate/pull/9
I've been trying to find out why it hasn't been merged yet.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.