Prune filter does not work

Juan_David_Jaramillo · March 10, 2022, 1:24am

good morning, hope you are well

I have a problem with the "prune" filter in logstash and I have a configuration file in logstash in which the objective is to take the data from filebeat-netflow and go through the pipe in logstash and from there I filter the fields that I need to send to Elasticsearch, I have this configuration, but I do not know if the fields are well mapped according to the syntax that handles netflow for those fields, but the filter does not work, that is to say it does nothing and when running the script is stuck in listening and does not send data.

I need your help with this please, and so feedback about the information of the filter 'prune' with the function 'whitelist_names', as there is no information or consistent examples in the documentation in elastic, do not know how to map correctly filebear-netflow fields and that filter is required as the netflow packs many unnecessary fields that consume significant storage in my elastic cloud, thanks,

input {
  beats {
    port  => 5044
  }
}


filter {
    prune {
        interpolate => true
        whitelist_names => [ "[source][ip]", "[observer][ip]" ]
    }
}



output {
if [observer][ip] == "10.20.248.34" {
  #stdout{ }
  elasticsearch {
    hosts => ["https://xxxxxxxxxxxxx.us-central1.gcp.cloud.es.io:9243"]
    user => "elastic"
    password => "xxxxxxxx"
    index => "ntw"
    }
 }
}

Badger · March 10, 2022, 2:53am

The documentation for the prune filter notes that

This filter currently only support operations on top-level fields, i.e. whitelisting and blacklisting of subfields based on name or value does not work.

See also this post.

Juan_David_Jaramillo · March 10, 2022, 6:31pm

Ok, thanks for your answer, but then what filter can I apply to choose which fields I want to send only? so it is not a whitelist, any other script that I can use to indicate and specify to send me only the fields I need?

Badger · March 10, 2022, 7:03pm

For your use-case you could try something like this to save the fields you want, and then delete everything

    mutate { add_field => { "[@metadata][source]" => "%{[source][ip]}" "[@metadata][observer]" => "%{[observer][ip]}" } }
    prune {
        whitelist_names => [ "[A][field][that][does][not][exist]" ]
        add_field => { "[source][ip]" => "%{[@metadata][source]}" "[observer][ip]" => "%{[@metadata][observer]}" }
    }

However, I think it more likely you will want

        whitelist_names => [ "@timestamp", "host" ]

Juan_David_Jaramillo · March 10, 2022, 7:41pm

filter {
mutate { add_field => { "[@metadata][source]" => "%{[source][ip]}" "[@metadata][observer]" => "%{[observer][ip]}" } }
    prune {
        whitelist_names => [ "@timestamp", "host" ]
        add_field => { "[source][ip]" => "%{[@metadata][source]}" "[observer][ip]" => "%{[@metadata][observer]}" }
    }
}

I tried it but it doesn't work, I run the logstash file and it looks like this:

Badger · March 10, 2022, 8:03pm

It looks like it is waiting for new events to arrive.

Juan_David_Jaramillo · March 10, 2022, 8:15pm

Yes, but it stays there and does not generate any event and I have waited a long time, because before it did send at once.

system · April 7, 2022, 8:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Prune filter does not work with whitelist but it does with blacklist Logstash	2	237	December 7, 2023
Prune filter plugin - How whitelist a nested field? Logstash	4	2410	December 15, 2020
Logstash prune nested fields Logstash	4	2825	March 12, 2020
Prune filter - Whitelist JSON subfields & per-pipeline log file Logstash	3	637	January 7, 2022
Add filter to send specific fields to elasticsearch Logstash	12	1612	March 12, 2019

Prune filter does not work

Related Topics