Mutate remove_field not working for JSON field

Mick_Mahoney · June 10, 2016, 9:09pm

Appreciate it if someone can spot the problem with this.
Trying to remove the [beat][name] field. I'm not getting any errors but the field is not getting removed.

Can anyone spot why please ?

JSON input

{
"@timestamp" => "2016-06-10T20:39:50.836Z",
"beat" => {
"hostname" => "serverName",
"name" => "serverName"
},
"cpu" => {
"idle" => 195218681,
"iowait" => 205653,
"irq" => 57,
"nice" => 107761,
"softirq" => 12225,
"steal" => 0,
"system" => 1583749,
"system_p" => 0.6,
"user" => 3125617,
"user_p" => 1.5
},
"type" => "system",
"@version" => "1",
"category" => "app",
"alias" => "app3",
"indextype" => "system"
}

FILTER

filter {
mutate {
remove_field => [ "event['beat']['name']" ]
}
}

marke72 · June 10, 2016, 9:11pm

Try remove_field => [ "[beat][name]" ]

Mick_Mahoney · June 10, 2016, 9:18pm

Worked ! Many Thanks marke72

Being a newbie with logstash I dont understand why sometimes I use:

event['field']['subfield']

but in this case I use

[field][subfield]

It would be great if someone could explain that ?

marke72 · June 10, 2016, 9:26pm

beat is an array of fields. One of those fields is name. Another field in the array in your case is hostname. "[beat][hostname]" and "[beat][name]". It's just how you reference them in Logstash. Also if you look at cpu it's an array of fields as well.

magnusbaeck · June 14, 2016, 6:35pm

The event['field']['subfield'] notation is only used within ruby filters.

John16 · February 9, 2017, 1:02pm

What is the proper way to remove beat.name field in Ingest pipeline?
I tried
"remove" : { "field": "beat.name" },

but it does not work (field still present in ES).

Thanks!

magnusbaeck · February 9, 2017, 2:02pm

@John16, I suggest you ask your question in the Elasticsearch group.