This might be a dumb question, but is there a way to keep only certain fields? Sort of the opposite to the remove processor?
I have a Filebeat on each EC2 server in my ECS cluster configured with:
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
json.overwrite_keys: true
json.keys_under_root: true
json.add_error_key: true
My index currently has over 2,900 fields, most of which I have no clue what they are or where they are even coming from, and would like to trim this down to only the fields I am actually interested in.
So I suspect the autodiscover means Filebeat is picking up stuff that I don't care about and forwarding it to ES. Or is there a better solution?