Remove a field before being sent to output

pkaramol · May 16, 2018, 4:22pm

I am trying to add a custom _id field as follows:

My filter.conf

filter {

  prune {
     whitelist_names => ["^http_user$"]
   }

   mutate {
     rename => { "http_user" => "username" }
     add_field => [ 'custom_id', '0' ]
   }

  fingerprint {
    key => "somekey"
    base64encode => true
    method => "SHA512"
    source => [ "http_user" ]
    target =>  "custom_id"
   }

}

and my output.conf

output {

    elasticsearch {
      hosts => ["elasticsearch:9200"]
      index => "my_index_name"
      document_id => "%{custom_id}"
    }

    stdout {
      codec => rubydebug
    }

}

However i do not want custom_id to make it to elasticsearch.
Is there a way to go about it?

Badger · May 16, 2018, 4:55pm

Call it [metadata][custom_id] instead of [custom_id].

magnusbaeck · May 16, 2018, 7:35pm

Call it [metadata][custom_id] instead of [custom_id].

Better make it [@metadata][custom_id].

system · June 13, 2018, 7:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Remove Field Output Issue Logstash	11	3721	February 24, 2017
Unable to remove field from elastic search Logstash	7	395	July 31, 2019
Delete a field in filter, but use it in output Logstash	8	7802	July 6, 2017
Logstash: Adding custom field to documennt Logstash	6	1175	August 8, 2018
Can't remove fields in logstash 5.2.2 Logstash	5	805	April 12, 2017

Remove a field before being sent to output

Related topics