Dropping specific container labels from fields

Elastic Stack Beats
,
1

Hello.
I'm trying to clean-up my logging events as much as possible in order to save bandwidth and disk space in Elasticsearch.

I want to delete specific labels and preserve others.

Below is my full YAML file:

name: docker
processors:
  - add_docker_metadata:
      labels.dedot: True
  - drop_fields:
      fields: ["docker", "input", "log", "host", "@metadata"]        
      ignore_missing: true
filebeat:
  config:
    modules:
      path: ${path.home}/modules.d/*.yml
      reload.enabled: false

  autodiscover.providers:
    - type: docker
      labels.dedot: True
      templates:
        - condition:
            equals.docker.container.labels.logformat: generic
          config:
            - type: container
              paths:
                - /var/lib/docker/containers/${data.docker.container.id}/*.log
              fields_under_root: true
              fields:
                type: "genericcattlev1"
                cattle_env: ${CATTLE_ENVIRONMENT}
              processors:
                - drop_fields:
                    fields: >
                      ["container.labels.org_opencontainers_image_authors", 
                      "container.labels.org_opencontainers_image_created", 
                      "container.labels.org_opencontainers_image_description", 
                      "container.labels.org_opencontainers_image_documentation", 
                      "container.labels.org_opencontainers_image_revision", 
                      "container.labels.org_opencontainers_image_source", 
                      "container.labels.org_opencontainers_image_title", 
                      "container.labels.org_opencontainers_image_version", 
                      "container.labels.prom_path", 
                      "container.labels.prom_port", 
                      "container.labels.prom_target"]

output.logstash:
  hosts: ["${LOGSTASH_HOST}:8850"]
  ssl.certificate_authorities: ["/pki/ca/ca.crt"]
  ssl.certificate: "/pki/certs/filebeat/tls.crt"
  ssl.key: "/pki/certs/filebeat/tls.key"

I tried many things. Previously, I tried to put the second (bigger) "drop_fields" together with the first one. Neither worked.

Is it the right way to reference a specific label?

container.labels.org_opencontainers_image_authors

Am I missing something?
Thanks and regards.

2

Hi @Dario_Louzado !

Could you try with something like docker.container.labels.org_opencontainers_image_authors ?

Docs: Autodiscover | Filebeat Reference [8.0] | Elastic

3

It worked @ChrsMark . Thanks.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.