Prune filter plugin - How whitelist a nested field?

21908 · November 17, 2020, 2:53pm

Documentation at

has this example and it mentions that it would allow only "msg" through.

filter {
      prune {
        whitelist_names => ["^msg$"]
      }
    }

If I have a single record that has

    "source" => {
        "bytes" => 172,
           "ip" => "192.168.56.105",
         "port" => 38996
    },
    .....
    "server" => {
        "bytes" => 2400,
           "ip" => "192.168.56.102",
         "port" => 9200
    },

Notice how both have the "ip" field. How would I go about only sending source.ip through?

leandrojmp · November 17, 2020, 3:03pm

Try to use the following format:

      prune {
        whitelist_names => ["[source][ip]"]
      }

Badger · November 17, 2020, 3:09pm

You cannot do that using a prune filter.

This filter currently only support operations on top-level fields, i.e. whitelisting and blacklisting of subfields based on name or value does not work.

You could do it in a ruby filter.

21908 · November 17, 2020, 3:16pm

Thank you, I'm checking out this filter now. Any chance you have an example or a webpage example that you could direct me too?

Topic		Replies	Views
[SOLVED]Prune Filter Question Logstash	8	1906	August 28, 2019
Prune filter does not work with whitelist but it does with blacklist Logstash	2	303	December 7, 2023
Whitelist nested field Logstash	6	443	November 28, 2022
Prune filter does not work Logstash	7	1367	April 7, 2022
Logstash prune nested fields Logstash	4	2928	March 12, 2020

Prune filter plugin - How whitelist a nested field?

Related topics