Remove a field before being sent to output

I am trying to add a custom _id field as follows:

My filter.conf

filter {

  prune {
     whitelist_names => ["^http_user$"]
   }

   mutate {
     rename => { "http_user" => "username" }
     add_field => [ 'custom_id', '0' ]
   }

  fingerprint {
    key => "somekey"
    base64encode => true
    method => "SHA512"
    source => [ "http_user" ]
    target =>  "custom_id"
   }

}

and my output.conf

output {

    elasticsearch {
      hosts => ["elasticsearch:9200"]
      index => "my_index_name"
      document_id => "%{custom_id}"
    }

    stdout {
      codec => rubydebug
    }

}

However i do not want custom_id to make it to elasticsearch.
Is there a way to go about it?

Call it [metadata][custom_id] instead of [custom_id].

Call it [metadata][custom_id] instead of [custom_id].

Better make it [@metadata][custom_id].

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.