Http filter leaves fields, that are inserted to elasticsearch

MMH · September 20, 2019, 5:28pm

Basically my pipeline looks like this:

input {
    (...) #some input
}
filter {
    http {
        (...) #http request
    }
}
output{
    elasticsearch{
        (...)
        action => "update"
        doc_as_upsert => true
    }
}

I need http filter to do a particular HTTP request. But nothing more in http filter, I am not reading data back.
Usage of that filter unwanted result is, that fields produced by http filter are being inserted into ELS document which is updated. For example: headers, body, @version, @timestamp, ...
I tried to use mutate with remove_field to get rid of those unnecessary fields, which work for
headers and body, but I am left with fields like @version, @timestamp which I cannot remove (document will not be updated in ELS) but also do not want them in my document _source.
Is there a way to perform http filter without adding new fields to the event?

Badger · September 20, 2019, 5:39pm

@version and @timestamp are not added by the http filter. They are added to all events by logstash. If I recall correctly @timestamp is mandatory, elasticsearch requires it to be present. Not sure about @version.

MMH · September 20, 2019, 6:11pm

Yes, my mistake.
I would delete this topic, but I do not have permission to do so.

system · October 18, 2019, 6:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remove fields from documents based on their value Logstash	8	4262	October 17, 2019
Deleting @Version and @Timestamp fields in Logstash 2.2.2 Logstash	2	4890	March 21, 2019
Filter input data from Filebeat using logstash? Logstash	10	709	January 30, 2023
Remove unnecessary fields in ElasticSearch Logstash	11	5689	July 6, 2017
Elasticsearch message format Logstash	5	1492	March 3, 2017

Http filter leaves fields, that are inserted to elasticsearch

Related topics