Filebeat didn't drop some of the fields

John_06 · May 21, 2017, 1:36am

I am trying to drop some not needed fields with Filebeat:

filebeat.yml:

filebeat.prospectors:

- input_type: log
  paths:
    - /var/log/app1.log
  fields:
    app_name: app1
  fields_under_root: true

processors:
 - drop_fields:
     fields: ["type", "beat.name", "beat.version", "_type", "_score", "_id", "@version", "offset"]

registry_file: /var/lib/filebeat/registry

output.logstash:
   ...

As of now, only beat.name, beat.version and offset fields have been dropped.
How can I drop other fields?

ruflin · May 22, 2017, 1:17pm

Be aware that not all these fields are generated by filebeat, but also some by elasticsearch as they are required for elasticsearch to work, for example all the _* fields. Others are probably added by Logstash.

system · June 19, 2017, 1:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.