Drop_fields

y34rz3r0 · April 14, 2023, 9:49pm

Hello!

I've just started learning ELK and I'm having some confusion with filebeat's drop_fields processor.

My configuration:

filebeat.inputs:
  - type: log
    paths:
      - /mnt/var/log/ovpnagent.log
    fields_under_root: true
    processors:
      - drop_fields:
          fields: ["ecs", "input", "host"]
    enabled: true

Only the "input" field is dropped, while "host" and "ecs" remain. I also tried to use variants with "ecs.version" and "host.name", but nothing changed.

Can someone point me to my mistake and show me where it is explained in the documentation?

y34rz3r0 · April 14, 2023, 10:58pm

Okay, my mistake was that some fields are added later than processing, so a global processor is needed.

Like this:

filebeat.inputs:
  - type: log
    paths:
      - /mnt/var/log/ovpnagent.log
    fields_under_root: true
    enabled: true

processors:
  - drop_fields:
      fields: ["ecs", "input", "host"]

stephenb · April 15, 2023, 12:00am

@y34rz3r0 Welcome to the community! and thanks for posting your solution.

system · May 13, 2023, 2:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certain fields in "drop_fields" are not dropped Beats filebeat	1	112	April 16, 2024
Edditing The Filebeat Default Mappings Beats filebeat	2	410	November 8, 2019
Filebeats not dropping agent.* fields Beats filebeat	4	2447	November 20, 2019
Filebeat processors drop_fields has no effect Beats filebeat	3	360	September 4, 2023
Cann't use custom fields as a condition to drop fields Beats filebeat	3	981	August 22, 2017

Drop_fields

Related Topics