Exclude part of kubernetes log

I'm trying to make Filebeat to exclude part of the whole log that being sent to Logstash through filebeat config xml file.

I have log like this:
{ "@timestamp" : "timestamp" , "name" : "general" , "kubernetes" : { "namespace" : "namespace" , "pod" : { "name" : "name" , "uid" : "uid" }, "container" : { "name" : "name" , "image" : "image" }, "node" : { "name" : "name" }, "labels" : { "env" : "env" , "app" : "app" , "pod-template-hash" : "pod-template-hash" , "labels" : "" }, "replicaset" : { "name" : "name" } }, "hostname" : "hostname" , "system" : "system" , "tag" : "tag" , "host" : { "name" : "name" }, "ecs" : { "version" : "version" }, "agent" : { "ephemeral_id" : "ephemeral_id" , "version" : "version" , "hostname" : "hostname" , "id" : "id" , "type" : "filebeat" }, "v" : 0 , "version" : "version" , "pid" : 8 , "stream" : "stdout" , "app" : "app" , "message" : "message" , "time" : "time" , "@version" : "1" , "input" : { "type" : "container" }, "env" : "staging" , "level" : "DEBUG" }
I want to remove from this log just the "kubernetes" map part. Is there is a way to do that?
Since exclude_line excludes the whole log.

Have you tried using the drop_fields processor? https://www.elastic.co/guide/en/beats/filebeat/current/drop-fields.html

@kvch , Thanks for the reply .
Yes I have tried , adding
processors: - drop_fields: fields: ["kubernetes.namespace"] and also just kubernetes
It drops the whole log instead just this part, got any other ideas ?

You have to do it in 2 processors.
decode_json and then drop_fields

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.