Get rid of .keyword

svenvg93 · June 25, 2021, 9:28pm

Hi,

I'm still a ELK noob so bear with me here ;).

I've setup Logstash to send the output of fping command to Elasticsearch and add some geoip data to it.

Fping output;

ec2.eu-west-1.amazonaws.com  : xmt/rcv/%loss = 30/29/3%, min/avg/max = 27.1/27.4/28.0

I already remove some unwanted fields and converted some values. The thing I cannot seems to figure out is why I get same double fields of which one is name fields.keyword

@timestamp:
Jun 25, 2021 @ 23:18:35.680
@version:
1
avg:
89.5
geoip.as_org:
Amazon.com, Inc.
geoip.as_org.keyword:
Amazon.com, Inc.
geoip.asn:
16,509
geoip.country_code2:
US
geoip.country_code2.keyword:
US
geoip.country_name:
United States
geoip.country_name.keyword:
United States
geoip.ip:
54.239.28.168
loss:
0
max:
90.9
min:
89
tags:
fping
tags.keyword:
fping
target:
ec2.us-east-1.amazonaws.com
target.keyword:
ec2.us-east-1.amazonaws.com
type:
fping
type.keyword:
fping
_id:
wScJRXoBnY3E-uxC7RYW
_index:
logstash-2021.06.25-000001
_score:
-
_type:
_doc

How can I remove the .keyword fields since they are double.

full Logstash config;

input {
    exec {
        command => "/usr/bin/fping -q -c 30 -B1 -r1 < /etc/logstash/fping.conf 2>&1"
        interval => 10
        type => "fping"
        tags => [ "fping" ]
    }
}
filter {
    if "fping" in [tags] {
        split {
        }
        grok {
            match => { "message" => "%{IPORHOST:target}.*loss = %{DATA}\/%{DATA}\/%{NUMBER:loss}%{DATA}= %{NUMBER:min}\/%{NUMBER:avg}\/%{NUMBER:max}" }
        }
        if [reponse] == "-" {
            drop { }
        } else {
            mutate {
                convert => { "avg" => "float" }
                convert => { "loss" => "float" }
                convert => { "max" => "float" }
                convert => { "min" => "float" }   
                remove_field => "[command]"       
                remove_field => "[message]"  
                remove_field => "[host]"                                   
            }
        }
        geoip {
            source => "target"
            database => "usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-Country.mmdb"
            remove_field => "[geoip][continent_name]"
        }
        geoip {
            source => "target"
            database => "usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-ASN.mmdb"
            remove_field => "[geoip][as_org][keyword]"
        }
    }
}
output {
    elasticsearch {
        hosts    => [ "localhost" ]
        index => "fping-%{+YYYY.MM.dd}"
    }
}

Any feedback on it is appreciated

Thnx!

Badger · June 25, 2021, 9:36pm

The rationale for .keyword is explained in this blog post. Once you understand why they exist, if you want to stop them being created by default you will have to create your own template to replace the default.

system · July 23, 2021, 9:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GROK query generating .keyword fields in Elasticsearch Logstash	3	709	May 3, 2021
Collecting logs from filebeats at k8s to logstash, can't filter fields Logstash	5	153	August 16, 2024
All fields from logstash coming in as text to ES, Pls let me know how to set as keyword? Elasticsearch	5	51	August 29, 2024
Data allways stack in field.keyword than field Kibana docker	9	500	September 9, 2022
Removing subfield in the elasticsearch output display Elasticsearch	4	498	July 29, 2021

Get rid of .keyword

Related topics