How to stop message from being sent after grok

Elastic Stack Logstash
1

I have a logstash agent on a box. It gets data (from redis), does a grok and parses things apart, and then sends the JSON to another box, where elastic brings it in.

The message is grok'd, and then gets sent along with the JSON.

How can I stop the message from being sent? It is getting indexed, and I don't need it to, as I've broken everything out with the grok. What can I set in my logstash.conf that will stop it from being sent.

I realize I can use a template on the ES box, and I will. But I am doing some troubleshooting, and would like to know how to do this.

2

Use the remove_field parameter to the grok filter to have it remove the message field if the grok is successful.

filter {
  grok {
    ...
    remove_field => ["message"]
  }
}
3 Likes
3

I can't believe it was that easy. Thanks so much.