Hello Folks, as you can see below, I'm not being able to drop event when doesn't have "system".
Could u please let me know if if is possible to do that?
I really appreciate your help and time
processors:
-
drop_event.when:
not:
has_fields: ['system']
Follow below output
"@timestamp": "2021-08-12T12:23:49.480Z",
"@metadata": {
"beat": "metricbeat",
"type": "_doc",
"version": "7.10.0"
},
"agent": {
"version": "7.10.0",
"hostname": "",
"ephemeral_id": "",
"id": "",
"name": "",
"type": "metricbeat"
},
"event": {
"dataset": "system.diskio",
"module": "system"
},
"metricset": {
"name": "diskio",
"period": 60000
},
"service": {
"type": "system"
},
"system": {
"diskio": {
"name": "C:",
"read": {
"bytes": 66803812352,
"count": 3052351,
"time": 6042921
},
"write": {
"count": 6426107,
"time": 17749385,
"bytes": 168764028416
}
}
},
"fields": {
"uuid": "****************************************"
},
"ecs": {
"version": "1.6.0"
},
"host": {
"name": "**************"
},
"tag": "metricbeat",
"customer_id": "3"
}