Ok, it seems it might not necessarily be just the add_host_metadata processor that's writing to my host field.
After testing various combinations of json.overwrite_keys in the prospectors, processors.add_host_metadata attempting to drop the host field in a processor, and add_hostname => false in the logstash beats input plugin, I'm seeing basically 4 different results (none of which are the desired one, my payload in the host field):
-
hostfield completely absent "host": {"name":"dc79b87d3f81"}"host": "dc79b87d3f81""host": {"name":"dc79b87d3f81", ..., [full metadata as shown above]}
This is so frustrating. I could live with a solution where I would rename the host field containing my intended payload string to something like client_ip, before filebeat overwrites it, and leave the unneeded host metadata in, but I can't figure out a way to do that either.
(FYI, I'm running filebeat via the official docker image. Could this possibly also be related to some docker autodiscover hint magic?)