Drop_fields

y34rz3r0 · April 14, 2023, 9:49pm

Hello!

I've just started learning ELK and I'm having some confusion with filebeat's drop_fields processor.

My configuration:

filebeat.inputs:
  - type: log
    paths:
      - /mnt/var/log/ovpnagent.log
    fields_under_root: true
    processors:
      - drop_fields:
          fields: ["ecs", "input", "host"]
    enabled: true

Only the "input" field is dropped, while "host" and "ecs" remain. I also tried to use variants with "ecs.version" and "host.name", but nothing changed.

Can someone point me to my mistake and show me where it is explained in the documentation?

y34rz3r0 · April 14, 2023, 10:58pm

Okay, my mistake was that some fields are added later than processing, so a global processor is needed.

Like this:

filebeat.inputs:
  - type: log
    paths:
      - /mnt/var/log/ovpnagent.log
    fields_under_root: true
    enabled: true

processors:
  - drop_fields:
      fields: ["ecs", "input", "host"]

stephenb · April 15, 2023, 12:00am

@y34rz3r0 Welcome to the community! and thanks for posting your solution.

system · May 13, 2023, 2:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.