How to remove the specific Icingabeat field names sent to elasticsearch?

Pankaj_Navneet · August 9, 2020, 1:02pm

Hi Team,

I have integrated Icinga to my ELK cluster using Icingabeat. Everything is working as expected, but now I don't want to include some of the available fields that are sent to Elasticsearch from Icingabeat.

Reason being I want to use only the fields which are of my use and wants to discard rest of the fields and hence wants to optimize the size of my Icingabeat indexes, which is currently taking GBs for a single day of storage.

I have tried to remove some of the fields (like check_result.schedule_end, check_result.schedule_start) from fields.yml inside the icingabeat directory, and restarted the icingbeat service. But when i checked the Kibana dashboard then those fields are still there. I don't know whether I am doing the right things or not to achieve what I need.

Please help, as no information I have found on neither Google nor on your forum.

Br
Pankaj N

Pankaj_Navneet · August 12, 2020, 10:06am

Hi Team,

Is there anyone who can help and reply me. Every reply will be appreciated. Thanks!

Br
Pankaj N

kvch · August 12, 2020, 1:44pm

I am not familiar with Icingabeat, so I am not sure if it will help. But you could try to use the drop_fields processor. It is part of libbeat, so probably Icingabeat supports this processor. See more about the processor here: https://www.elastic.co/guide/en/beats/filebeat/current/drop-fields.html

If it does not help you, I assume you can get more help from the Icinga forum.

system · September 9, 2020, 1:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.