Prune filter plugin - How whitelist a nested field?

Documentation at

has this example and it mentions that it would allow only "msg" through.

filter {
      prune {
        whitelist_names => ["^msg$"]
      }
    }

If I have a single record that has

    "source" => {
        "bytes" => 172,
           "ip" => "192.168.56.105",
         "port" => 38996
    },
    .....
    "server" => {
        "bytes" => 2400,
           "ip" => "192.168.56.102",
         "port" => 9200
    },

Notice how both have the "ip" field. How would I go about only sending source.ip through?

Try to use the following format:

      prune {
        whitelist_names => ["[source][ip]"]
      }

You cannot do that using a prune filter.

This filter currently only support operations on top-level fields, i.e. whitelisting and blacklisting of subfields based on name or value does not work.

You could do it in a ruby filter.

Thank you, I'm checking out this filter now. Any chance you have an example or a webpage example that you could direct me too?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.