Redundant fields in elsatic

80c1141eb6d0c564dd90 · January 25, 2018, 3:34pm

I have redundant field in Kibana, what can I make not to show them?
Fields are like

"beat": {
  "hostname": "preprod-api.example.com",  <-- (host, where from logs go to logstash)
  "name": "preprod-api.example.com",
  "version": "6.1.0"
},
"preprod-api.example.com": "",
"prospector": {
  "type": "log"
},

I have this settings for template in /etc/filebeat/filebeat.yml:

setup.template.enabled: true
setup.template.name: "preprod-filebeat-%{+YYYY.MM.dd}"
setup.template.pattern: "preprod-filebeat-*"
setup.template.fields: "/etc/filebeat/fields.yml"
setup.template.overwrite: true

and this is /etc/filebeat/fields.yml:

key: log
title: Log file content
description: >
Contains log file lines.
fields:
- name: source
  type: keyword
  required: true
  description: >
  The file from which the line was read. This field contains the absolute path to the file.
  For example: /var/log/system.log.
- name: message
  type: text
  ignore_above: 0
  required: true
  description: >
  The content of the line read from the log file.

andrewkroh · January 25, 2018, 3:56pm

If you don't want the fields in Kibana then configure the source to not send them.

In Beats this can be don't by using the drop_field processor. Put this into you filebeat.yml and restart.

processors:
- drop_fields:
    fields:
    - beat.hostname
    - <other fields to drop>

No changes are required to the fields.yml.

system · February 22, 2018, 3:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.