Redundant fields in elsatic

Elastic Stack Beats
1

I have redundant field in Kibana, what can I make not to show them?
Fields are like

"beat": {
  "hostname": "preprod-api.example.com",  <-- (host, where from logs go to logstash)
  "name": "preprod-api.example.com",
  "version": "6.1.0"
},
"preprod-api.example.com": "",
"prospector": {
  "type": "log"
},

I have this settings for template in /etc/filebeat/filebeat.yml:

setup.template.enabled: true
setup.template.name: "preprod-filebeat-%{+YYYY.MM.dd}"
setup.template.pattern: "preprod-filebeat-*"
setup.template.fields: "/etc/filebeat/fields.yml"
setup.template.overwrite: true

and this is /etc/filebeat/fields.yml:

  • key: log
    title: Log file content
    description: >
    Contains log file lines.
    fields:

    • name: source
      type: keyword
      required: true
      description: >
      The file from which the line was read. This field contains the absolute path to the file.
      For example: /var/log/system.log.

    • name: message
      type: text
      ignore_above: 0
      required: true
      description: >
      The content of the line read from the log file.

2

If you don't want the fields in Kibana then configure the source to not send them.

In Beats this can be don't by using the drop_field processor. Put this into you filebeat.yml and restart.

processors:
- drop_fields:
    fields:
    - beat.hostname
    - <other fields to drop>

No changes are required to the fields.yml.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.