Remove event.original from logstash as it comes in every document of logstash version 8.8.2(ECS)

Elastic Stack Logstash
1

Hello All,

I am facing major issue with logstash after migration from 7.9.1 to 8.8.2 version.
Elasticsearch/Logstash 8.X version has ECS compatibility enabled by default.This adds new field
event.original in every document indexed in elasticsearch from logstash.
To ignore above field i.e event.original we've added pipeline.ecs_compatibility: disabled in logstash.yml and it eliminates required field.

But it also eliminates other necessary fields like host.name(This value is required by us)
Plz suggest us some solution how to handle this .

Thanks

1 Like
2

You could use

mutate { remove_field => [ "event" ] }

or

mutate { remove_field => [ "[event][original]" ] }
1 Like
3

Hello @Badger ,

Thanx for your quick response,I will test with this and check if this resolves.

1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.