i'm trying drop some unneccesary fields, but i still see metadata
i follow this docs: Drop fields from events | Filebeat Reference [7.11] | Elastic
"ecs": {
"version": "1.1.0"
},
"host": {
"name": "prod-node02",
"hostname": "prod-node02",
"architecture": "x86_64",
"os": {
"kernel": "3.10.0-1160.11.1.el7.x86_64",
"codename": "Core",
"platform": "centos",
"version": "7 (Core)",
"family": "redhat",
"name": "CentOS Linux"
},
"containerized": true
},
- type: container
paths:
- /var/log/containers/*.log
exclude_files:
- /var/log/containers/admin.*
processors:
- add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
- drop_fields:
fields: ["agent", "log", "input", "host", "ecs"]
- drop_event.when:
or:
- equals:
kubernetes.namespace: "kube-system"
- equals:
kubernetes.namespace: "openshift-console"
- equals:
kubernetes.namespace: "openshift-logging"
- equals:
kubernetes.namespace: "openshift-metric-server"
- equals:
kubernetes.namespace: "openshift-node"
- equals:
kubernetes.namespace: "openshift-web-console"
- equals:
kubernetes.namespace: "kube-public"
- equals:
kubernetes.namespace: "kube-service-catalog"
- equals:
kubernetes.namespace: "openshift-infra"
- equals:
kubernetes.namespace: "openshift-monitoring"
- equals:
kubernetes.namespace: "openshift-sdn"
- equals:
kubernetes.namespace: "default"
- equals:
kubernetes.namespace: "velero"
- equals:
kubernetes.namespace: "openshift-template-service-broker"
- equals:
kubernetes.namespace: "openshift-metrics-server"