Hello.
I'm trying to clean-up my logging events as much as possible in order to save bandwidth and disk space in Elasticsearch.
I want to delete specific labels and preserve others.
Below is my full YAML file:
name: docker
processors:
- add_docker_metadata:
labels.dedot: True
- drop_fields:
fields: ["docker", "input", "log", "host", "@metadata"]
ignore_missing: true
filebeat:
config:
modules:
path: ${path.home}/modules.d/*.yml
reload.enabled: false
autodiscover.providers:
- type: docker
labels.dedot: True
templates:
- condition:
equals.docker.container.labels.logformat: generic
config:
- type: container
paths:
- /var/lib/docker/containers/${data.docker.container.id}/*.log
fields_under_root: true
fields:
type: "genericcattlev1"
cattle_env: ${CATTLE_ENVIRONMENT}
processors:
- drop_fields:
fields: >
["container.labels.org_opencontainers_image_authors",
"container.labels.org_opencontainers_image_created",
"container.labels.org_opencontainers_image_description",
"container.labels.org_opencontainers_image_documentation",
"container.labels.org_opencontainers_image_revision",
"container.labels.org_opencontainers_image_source",
"container.labels.org_opencontainers_image_title",
"container.labels.org_opencontainers_image_version",
"container.labels.prom_path",
"container.labels.prom_port",
"container.labels.prom_target"]
output.logstash:
hosts: ["${LOGSTASH_HOST}:8850"]
ssl.certificate_authorities: ["/pki/ca/ca.crt"]
ssl.certificate: "/pki/certs/filebeat/tls.crt"
ssl.key: "/pki/certs/filebeat/tls.key"
I tried many things. Previously, I tried to put the second (bigger) "drop_fields" together with the first one. Neither worked.
Is it the right way to reference a specific label?
container.labels.org_opencontainers_image_authors
Am I missing something?
Thanks and regards.