How to avoid host.name field in filebeat

r.ganeshbabu · March 13, 2023, 3:58pm

Hi Team,

I am sending data to elasticsearch using filebeat once the file were harvested I can see field
host.name where the value is hostname of the VM

  {
  	"_index": "filebeat-7.17.6-2023.03.13-000001",
  	"_type": "_doc",
  	"_id": "wGdI24YBQ3WX0oT6tKyJ",
  	"_score": 1.0,
  	"_source": {
  		"@timestamp": "2023-03-13T14:03:38.455Z",
  		"agent": {
  			"name": "logstash",
  			"type": "filebeat",
  			"version": "7.17.6",
  			"hostname": "logstash",
  			"ephemeral_id": "6f61b3c8-4867-470a-834b-6389c7e848d9",
  			"id": "e4e34578-5252-4493-ab90-380affaa6a3f"
  		},
  		"log": {
  			"offset": 514,
  			"file": {
  				"path": "/home/ganeshbabu_lab/filebeat-7.17.6-linux-x86_64/seven.log"
  			}
  		},
  		"message": "testing the filebeat",
  		"input": {
  			"type": "filestream"
  		},
  		"fields": {
  			"host": "filebeat-test",
  			"level": "debug",
  			"review": 1
  		},
  		"ecs": {
  			"version": "1.12.0"
  		},
  		"host": {
  			"name": "logstash"
  		}
  	}
  }

By default host.name field is coming in every events processed through filebeat.
How to avoid host.name in json by default?

Using drop fields i can able to remove the host.name. Is there any option in filebeat not to send host.name

Please let me know your thoughts.

Thanks,
Ganeshbabu R

amanv · March 20, 2023, 12:14pm

Hi @r.ganeshbabu. You could make use of the drop_fields processor. If that's what you've already tried, please respond back on this thread.

PRASHANT_MEHTA · March 20, 2023, 12:19pm

Use Something like this in filebeat.yml:

  processors:
    - add_host_metadata: null
    - drop_fields:
        when:
          equals:
            agent.type: filebeat
        fields:
        - agent.hostname
        - agent.id
        - agent.type
        - agent.ephemeral_id
        - agent.version
        - log.offset
        - log.flags
        - input.type
        - ecs.version
        - host.os
        - host.id
        - host.mac
        - host.architecture

r.ganeshbabu · March 20, 2023, 12:24pm

Thanks for sharing the details.. I have used drop fields processor in filebeat config

Thanks
Ganeshbabu R

Marius_Iversen · March 21, 2023, 4:06pm

Specific to the fields for add_host_metadata (host.*), you can use:
publisher_pipeline.disable_host: true

system · April 18, 2023, 6:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.