Dropping specific container labels from fields

Dario_Louzado · February 25, 2022, 6:26pm

Hello.
I'm trying to clean-up my logging events as much as possible in order to save bandwidth and disk space in Elasticsearch.

I want to delete specific labels and preserve others.

Below is my full YAML file:

name: docker
processors:
  - add_docker_metadata:
      labels.dedot: True
  - drop_fields:
      fields: ["docker", "input", "log", "host", "@metadata"]        
      ignore_missing: true
filebeat:
  config:
    modules:
      path: ${path.home}/modules.d/*.yml
      reload.enabled: false

  autodiscover.providers:
    - type: docker
      labels.dedot: True
      templates:
        - condition:
            equals.docker.container.labels.logformat: generic
          config:
            - type: container
              paths:
                - /var/lib/docker/containers/${data.docker.container.id}/*.log
              fields_under_root: true
              fields:
                type: "genericcattlev1"
                cattle_env: ${CATTLE_ENVIRONMENT}
              processors:
                - drop_fields:
                    fields: >
                      ["container.labels.org_opencontainers_image_authors", 
                      "container.labels.org_opencontainers_image_created", 
                      "container.labels.org_opencontainers_image_description", 
                      "container.labels.org_opencontainers_image_documentation", 
                      "container.labels.org_opencontainers_image_revision", 
                      "container.labels.org_opencontainers_image_source", 
                      "container.labels.org_opencontainers_image_title", 
                      "container.labels.org_opencontainers_image_version", 
                      "container.labels.prom_path", 
                      "container.labels.prom_port", 
                      "container.labels.prom_target"]

output.logstash:
  hosts: ["${LOGSTASH_HOST}:8850"]
  ssl.certificate_authorities: ["/pki/ca/ca.crt"]
  ssl.certificate: "/pki/certs/filebeat/tls.crt"
  ssl.key: "/pki/certs/filebeat/tls.key"

I tried many things. Previously, I tried to put the second (bigger) "drop_fields" together with the first one. Neither worked.

Is it the right way to reference a specific label?

container.labels.org_opencontainers_image_authors

Am I missing something?
Thanks and regards.

ChrsMark · February 28, 2022, 8:56am

Hi @Dario_Louzado !

Could you try with something like docker.container.labels.org_opencontainers_image_authors ?

Docs: Autodiscover | Filebeat Reference [8.0] | Elastic

Dario_Louzado · March 8, 2022, 12:47pm

It worked @ChrsMark . Thanks.

system · April 5, 2022, 2:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat didn't drop some of the fields like agent., ecs. etc Beats docker , filebeat	3	1947	September 8, 2020
Filebeat docker container labels do not seems Beats docker , filebeat	3	732	February 11, 2022
Removing unwanted data in Filebeats / Logstash Logstash docker	1	392	April 16, 2021
Drop irrelevant filebeat docker metadata not working Beats docker , filebeat	1	286	November 2, 2022
Filebeat not dropping the entire events/log Beats docker , filebeat	2	387	September 28, 2020

Dropping specific container labels from fields

Related topics