Hello,
I have a setup with a filebeat agent that sends messages to an elastic cluster.
I need to filter messages that goes to the cluster, and I have 2 options:
I have a lot of data (approx 500GB per day, and only 1% will be stored in elastic nodes).
Is there any recommendations on what is the most confortable solution?
Thanks!
Hi @rverchere and welcome 
I have a lot of data (approx 500GB per day, and only 1% will be stored in elastic nodes).
Is there any recommendations on what is the most confortable solution?
It depends, but quite probably the best option is to filter them out already in filebeat, this way you avoid the network traffic caused by these messages that you are going to drop in any case.
To drop events from filebeat, you can use the drop_events processor.
Hey, thanks for your feedback!
I think I will go for your solution, and if I have time or find something that does not fit my needs, I will go with pipelines on ingest nodes.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.