Drop_fields

y34rz3r0 · April 14, 2023, 9:49pm

Hello!

I've just started learning ELK and I'm having some confusion with filebeat's drop_fields processor.

My configuration:

filebeat.inputs:
  - type: log
    paths:
      - /mnt/var/log/ovpnagent.log
    fields_under_root: true
    processors:
      - drop_fields:
          fields: ["ecs", "input", "host"]
    enabled: true

Only the "input" field is dropped, while "host" and "ecs" remain. I also tried to use variants with "ecs.version" and "host.name", but nothing changed.

Can someone point me to my mistake and show me where it is explained in the documentation?

y34rz3r0 · April 14, 2023, 10:58pm

Okay, my mistake was that some fields are added later than processing, so a global processor is needed.

Like this:

filebeat.inputs:
  - type: log
    paths:
      - /mnt/var/log/ovpnagent.log
    fields_under_root: true
    enabled: true

processors:
  - drop_fields:
      fields: ["ecs", "input", "host"]

stephenb · April 15, 2023, 12:00am

@y34rz3r0 Welcome to the community! and thanks for posting your solution.

system · May 13, 2023, 2:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat drop_fields processors module does not work Beats filebeat	1	259	December 14, 2021
Unable to Drop desired fields using drop_fields processors in filebeat Beats filebeat	3	1291	March 26, 2021
Drop agent / ecs fields from filebeat (previous solves here only partially work) Beats filebeat	1	363	June 8, 2022
Filebeat didn't drop some of the fields Beats filebeat	2	3994	June 19, 2017
Filebeat - drop fields processor doesn't remove agent.* and ecs fields. (Without Logstash) Beats	4	2285	November 10, 2019

Drop_fields

Related topics