Elasticsearch message format

Oleksii_Mazilov · February 3, 2017, 1:17pm

I need to remove several fields before pushing data to Elasticsearch. I can't use mutate filter because in aggregate filter I'm using field which I need to remove
Conf example:

input {
	jdbc {
		bla_bla_bla
	}
}

filter {
	date {
		match => [ "timestamp", "YYYYMMddHHmmss", "YYYY-MM-dd HH:mm:ss", "ISO8601" ]
		target => "timestamp"
	}
	if [event_name] == "submitted" {
		aggregate {
			task_id => "%{step_id}"
			code => "map['step_duration'] = event.get('timestamp')"
			map_action => "create"
		}
	}
	if [event_name] == "process_end" {
		aggregate {
			add_field => { "step_name" => "step_ololo" }
			task_id => "%{step_id}"
			code => "event.set('step_duration', event.get('timestamp') - map['step_duration'])"
			map_action => "update"
			end_of_task => true
			timeout => 3600
		}
	}
}

output {
	if ([step_name]) {
		elasticsearch {
			ssl_certificate_verification => "false"
			ssl => "false"
			index => "events-%{+YYYY.MM.dd}"
			hosts => [ "localhost:9200" ]
			user => "ololo_user"
			password => "ololo_pass"
		}
	}
}

Need to remove event_name field

magnusbaeck · February 3, 2017, 1:26pm

Can't you just remove the field after the aggregate filter?

Oleksii_Mazilov · February 3, 2017, 3:20pm

Doesn't work:

input {
	jdbc {
		bla_bla_bla
	}
}

filter {
	date {
		match => [ "timestamp", "YYYYMMddHHmmss", "YYYY-MM-dd HH:mm:ss", "ISO8601" ]
		target => "timestamp"
	}
	if [event_name] == "submitted" {
		aggregate {
			task_id => "%{step_id}"
			code => "map['step_duration'] = event.get('timestamp')"
			map_action => "create"
		}
	}
	if [event_name] == "process_end" {
		aggregate {
			add_field => { "step_name" => "step_ololo" }
			task_id => "%{step_id}"
			code => "event.set('step_duration', event.get('timestamp') - map['step_duration'])"
			map_action => "update"
			end_of_task => true
			timeout => 3600
		}
	}
        mutate {
            remove_field => [ "%{event_name}" ]
        }
}

output {
	if ([step_name]) {
		elasticsearch {
			ssl_certificate_verification => "false"
			ssl => "false"
			index => "events-%{+YYYY.MM.dd}"
			hosts => [ "localhost:9200" ]
			user => "ololo_user"
			password => "ololo_pass"
		}
	}
}

magnusbaeck · February 3, 2017, 3:25pm

remove_field => [ "%{event_name}" ]

This will remove the field named according to the contents of the event_name field, i.e. if that field contains "foo" Logstash will attempt to remove the field foo. Do this instead:

 remove_field => [ "event_name" ]

Oleksii_Mazilov · February 3, 2017, 3:37pm

Thanks a lot. Works now!

system · March 3, 2017, 3:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Delete a field in filter, but use it in output Logstash	8	7802	July 6, 2017
Remove message on filter before inserting in ES Logstash	4	6201	July 6, 2017
How to transform fields but dont insert them into elasticsearch Logstash	4	808	August 6, 2019
Remove _id, _index, _score, _type fields from index by logstash Logstash	4	1037	January 5, 2022
Remove unnecessary fields in ElasticSearch Logstash	11	5689	July 6, 2017

Elasticsearch message format

Related topics