Parsing a logstash file

DOkuwa · December 1, 2025, 4:41pm

I want to parse my logstash file to be able to delete some unnecessary fields that appear in kibana

This is the input file from filebeat

{
  "source": "10.200.226.62:57500",
  "subscription-name": "default-1764331045",
  "timestamp": 1764328788493751000,
  "time": "2025-11-28T12:19:48.493751+01:00",
  "updates": [
    {
      "Path": "interfaces/interface[name=GigabitEthernet0/0]/state/counters/out-
octets",
      "values": {
        "interfaces/interface/state/counters/out-octets": "334577330"
      }
    }
  ]
}
{
  "source": "10.200.10.10:57500",
  "subscription-name": "default-1764331045",
  "timestamp": 1764328788497842000,
  "time": "2025-11-28T12:19:48.497842+01:00"
}
{
  "sync-response": true
}
{
  "source": "10.200.10.10:57500",
  "subscription-name": "default-1764331045",
  "timestamp": 1764328798498615000,
  "time": "2025-11-28T12:19:58.498615+01:00",
  "updates": [
    {
      "Path": "interfaces/interface[name=GigabitEthernet0/0]/state/counters/out-octets",
      "values": {
        "interfaces/interface/state/counters/out-octets": "334579570"
      }
    }
  ]

This is an example of the logstash file

input {
  beats {
    port => 5044
  }
}

filter {

}

output {
  stdout { codec => rubydebug }
    elasticsearch {
    hosts => ["https://localhost:9200"]
    index => "telegraf-logstash"
    user => "elastic"
    password => "xxxxxxxxx"
    ssl_enabled => true
    ssl_certificate_authorities => ["/etc/elasticsearch/certs/http_ca.crt"]
  }
}

this is the output

I dont want fields like host architecture etc

Thanks

I dont want all this

rugenl · December 1, 2025, 5:56pm

Look in your beats config for

#The following example enriches each event with host
#metadata.

processors:
add_host_metadata: ~

If it’s there, comment it out.

Rios · December 1, 2025, 6:08pm

Also you can drop fields in filebeat.yml:

processors:
  - add_host_metadata: ...
  
  - drop_fields:
      fields: ["agent.version","agent.type","agent.id","agent.ephemeral_id","host","mac","ip","log.file.vol","log.file.idxhi","log.file.idxlo","log.offset"]
      ignore_missing: true

Just adopt list.

Of couse, you can delete in LS:

mutate {
       remove_field => [ "agent", "host" ]
     }

Topic		Replies	Views
Filebeat show unwanted logs Beats filebeat	11	2417	August 30, 2017
Remove event received from Metricbeat to Logstash Beats metricbeat	3	1084	June 8, 2017
Drop fields generated by beats Logstash	2	586	June 7, 2019
Problem deleting fields or renaming (from filebeat) Logstash	7	2130	July 6, 2017
How can i remove field? Logstash	3	660	July 6, 2017

Parsing a logstash file

Related topics