Prune filter plugin - How whitelist a nested field?

21908 · November 17, 2020, 2:53pm

Documentation at

has this example and it mentions that it would allow only "msg" through.

filter {
      prune {
        whitelist_names => ["^msg$"]
      }
    }

If I have a single record that has

    "source" => {
        "bytes" => 172,
           "ip" => "192.168.56.105",
         "port" => 38996
    },
    .....
    "server" => {
        "bytes" => 2400,
           "ip" => "192.168.56.102",
         "port" => 9200
    },

Notice how both have the "ip" field. How would I go about only sending source.ip through?

leandrojmp · November 17, 2020, 3:03pm

Try to use the following format:

      prune {
        whitelist_names => ["[source][ip]"]
      }

Badger · November 17, 2020, 3:09pm

You cannot do that using a prune filter.

This filter currently only support operations on top-level fields, i.e. whitelisting and blacklisting of subfields based on name or value does not work.

You could do it in a ruby filter.

21908 · November 17, 2020, 3:16pm

Thank you, I'm checking out this filter now. Any chance you have an example or a webpage example that you could direct me too?

system · December 15, 2020, 3:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[SOLVED]Prune Filter Question Logstash	8	1813	August 28, 2019
Prune filter does not work with whitelist but it does with blacklist Logstash	2	238	December 7, 2023
Does it possible remove all nested fields except white-list? Logstash	4	3031	July 6, 2017
Prune filter does not work Logstash	7	1166	April 7, 2022
Looking for a way to prune fields with certain text in them but struggling with the prune filter and regex Logstash	2	1012	November 28, 2018

Prune filter plugin - How whitelist a nested field?

Related topics