Drop network events

muratungor · August 23, 2017, 8:38am

Hello
I have 2 filter in my metricbeat.yml

Blockquote
filters:
drop_event.when.equals.system.network.name: lo
drop_event.when.regexp.mount_point: '^/(automnt|tmp|boot|net|misc|/var/lib|sys|cgroup|proc|dev|etc|host|run)($|/)'

second filter (mount_point) is working but system.network.name: lo filter is not working.
Can you help me please
best regards

steffens · August 23, 2017, 11:42am

Please use the </> button to format configuration files. This will preserve whitespace.

The filter setting in metricbeat 5.x is applied on the non-finalized event. You have to access the keys by it's local name. For example the mount_point its full name is system.filesystem.mount_point. The local name of system.network.name is just name. When moving the filters to the global scope (processors setting), you will operate on the full event.

With metricbeat 6.0 beta1, we replaced the local filter setting with a local processors setting. The new setting operates on the complete event and requires you to use system.network.name and system.filesystem.mount_point. This helps resolving ambiguities.

muratungor · August 23, 2017, 11:54am

Hello Steffens
We're using metricbeat 5.5.2-1 . I've changed key to local name. You can find the configuration file below. But still I can see the lo interface events

< - module: system
metricsets:
# CPU stats
- cpu

# System Load stats
- load

# Per CPU core stats
#- core

# IO stats
- diskio

# Per filesystem stats
- filesystem

# File system summary stats
#- fsstat

# Memory stats
- memory

# Network stats
- network

# Per process stats
#- process

# Sockets (linux only)
#- socket
enabled: true
period: 60s
processes: ['.*']
filters:
 drop_event.when.equals.name: lo
 drop_event.when.regexp.mount_point: '^/(automnt|tmp|boot|net|misc|/var/lib|sys|cgroup|proc|dev|etc|host|run)($|/)'

/>

muratungor · August 24, 2017, 6:54am

Hello
It's work with regexp. now it seems like below

  enabled: true
  period: 60s
  processes: ['.*']
  filters:
    - drop_event.when.equals.device_name: sunrpc
    - drop_event.when.regexp.mount_point: '^/(automnt|tmp|boot|net|misc|sys|cgroup|proc|dev|etc|host|run)($|/)'
    - drop_event.when.regexp.name: '^lo'

steffens · August 24, 2017, 3:02pm

Is your network device named lo or something like lo0?

muratungor · August 25, 2017, 1:03pm

its just lo

system · September 22, 2017, 1:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
"Drop_event" does not work Beats metricbeat	5	1249	November 29, 2017
Metricbeat yaml drop_event.when.regexp.mount_point filter not working as expected not working as expected Beats metricbeat	4	1541	April 20, 2018
Drop Events works only for Linux Beats docker , metricbeat	3	353	October 7, 2021
Processors drop_event - no worky Beats metricbeat	8	3487	February 9, 2017
Can't drop events from metricbeat Beats metricbeat	10	2510	August 28, 2017

Drop network events

Related Topics