Dropping fields doesnt work

randude · July 25, 2017, 11:30am

Hi,
I'd like to drop the beat fields. I've used the formal docs and added the processors part but the fields are still in the data for some reason. What am I doing wrong?

This is my yaml file for metricbeat 5.5.0:

metricbeat.modules:
- module: system
  metricsets: ["process"]
  filters:
    - drop_event.when.regexp.name: '(bioset|python|sshd|bash|sftp-server|atop|java|cron|acpi_thermal_pm|agetty|ata_sff)'
  processors:
   - drop_fields:
       fields: ["beat",  "process.cmdline"]
  enabled: true
  period: 30s
  processes: ['.*']

andrewkroh · July 25, 2017, 12:44pm

Try changing it to:

metricbeat.modules:
- module: system
  metricsets: ["process"]
  filters:
    - drop_event.when.regexp.name: '(bioset|python|sshd|bash|sftp-server|atop|java|cron|acpi_thermal_pm|agetty|ata_sff)'
  enabled: true
  period: 30s
  processes: ['.*']

processors:
- drop_fields:
    fields: ["beat",  "system.process.cmdline"]

randude · July 25, 2017, 1:43pm

YES! it works!
Thanks a lot!

Do you know by any chance how to change the regexp to a regex that matches a word that doesnt contain the word "company"?
I've tried several perl expressions, but it seems that it doesnt like the ?! combination.

andrewkroh · July 25, 2017, 2:12pm

I don't know of any way to do it with the re2 regular expressions supported by Go.

But you could negate the by adding not.

drop_event.when.not.regexp.name: 'company'

randude · July 25, 2017, 3:13pm

You are awesome man.
It all works!

system · August 22, 2017, 3:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.