Prune filter plugin - How whitelist a nested field?

21908 · November 17, 2020, 2:53pm

Documentation at

has this example and it mentions that it would allow only "msg" through.

filter {
      prune {
        whitelist_names => ["^msg$"]
      }
    }

If I have a single record that has

    "source" => {
        "bytes" => 172,
           "ip" => "192.168.56.105",
         "port" => 38996
    },
    .....
    "server" => {
        "bytes" => 2400,
           "ip" => "192.168.56.102",
         "port" => 9200
    },

Notice how both have the "ip" field. How would I go about only sending source.ip through?

leandrojmp · November 17, 2020, 3:03pm

Try to use the following format:

      prune {
        whitelist_names => ["[source][ip]"]
      }

Badger · November 17, 2020, 3:09pm

You cannot do that using a prune filter.

This filter currently only support operations on top-level fields, i.e. whitelisting and blacklisting of subfields based on name or value does not work.

You could do it in a ruby filter.

21908 · November 17, 2020, 3:16pm

Thank you, I'm checking out this filter now. Any chance you have an example or a webpage example that you could direct me too?

system · December 15, 2020, 3:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Prune filter does not work with whitelist but it does with blacklist Logstash	2	237	December 7, 2023
Prune filter does not work Logstash	7	1159	April 7, 2022
Ruby filter to whitelist nested fields Logstash	3	999	March 29, 2022
Whitelist nested field Logstash	6	367	November 28, 2022
Logstash prune nested fields Logstash	4	2825	March 12, 2020

Prune filter plugin - How whitelist a nested field?

Related Topics