Prune filter plugin - How whitelist a nested field?

21908 · November 17, 2020, 2:53pm

Documentation at

has this example and it mentions that it would allow only "msg" through.

filter {
      prune {
        whitelist_names => ["^msg$"]
      }
    }

If I have a single record that has

    "source" => {
        "bytes" => 172,
           "ip" => "192.168.56.105",
         "port" => 38996
    },
    .....
    "server" => {
        "bytes" => 2400,
           "ip" => "192.168.56.102",
         "port" => 9200
    },

Notice how both have the "ip" field. How would I go about only sending source.ip through?

leandrojmp · November 17, 2020, 3:03pm

Try to use the following format:

      prune {
        whitelist_names => ["[source][ip]"]
      }

Badger · November 17, 2020, 3:09pm

You cannot do that using a prune filter.

This filter currently only support operations on top-level fields, i.e. whitelisting and blacklisting of subfields based on name or value does not work.

You could do it in a ruby filter.

21908 · November 17, 2020, 3:16pm

Thank you, I'm checking out this filter now. Any chance you have an example or a webpage example that you could direct me too?

system · December 15, 2020, 3:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.