Dropping fields doesnt work

Hi,
I'd like to drop the beat fields. I've used the formal docs and added the processors part but the fields are still in the data for some reason. What am I doing wrong?

This is my yaml file for metricbeat 5.5.0:

metricbeat.modules:
- module: system
  metricsets: ["process"]
  filters:
    - drop_event.when.regexp.name: '(bioset|python|sshd|bash|sftp-server|atop|java|cron|acpi_thermal_pm|agetty|ata_sff)'
  processors:
   - drop_fields:
       fields: ["beat",  "process.cmdline"]
  enabled: true
  period: 30s
  processes: ['.*']

Try changing it to:

metricbeat.modules:
- module: system
  metricsets: ["process"]
  filters:
    - drop_event.when.regexp.name: '(bioset|python|sshd|bash|sftp-server|atop|java|cron|acpi_thermal_pm|agetty|ata_sff)'
  enabled: true
  period: 30s
  processes: ['.*']

processors:
- drop_fields:
    fields: ["beat",  "system.process.cmdline"]

YES! it works!
Thanks a lot!

Do you know by any chance how to change the regexp to a regex that matches a word that doesnt contain the word "company"?
I've tried several perl expressions, but it seems that it doesnt like the ?! combination.

I don't know of any way to do it with the re2 regular expressions supported by Go.

But you could negate the by adding not.

drop_event.when.not.regexp.name: 'company'

You are awesome man.
It all works!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.