Remove event.original from logstash as it comes in every document of logstash version 8.8.2(ECS)

PRASHANT_MEHTA · September 8, 2023, 1:34pm

Hello All,

I am facing major issue with logstash after migration from 7.9.1 to 8.8.2 version.
Elasticsearch/Logstash 8.X version has ECS compatibility enabled by default.This adds new field
event.original in every document indexed in elasticsearch from logstash.
To ignore above field i.e event.original we've added pipeline.ecs_compatibility: disabled in logstash.yml and it eliminates required field.

But it also eliminates other necessary fields like host.name(This value is required by us)
Plz suggest us some solution how to handle this .

Thanks

Badger · September 8, 2023, 1:45pm

You could use

mutate { remove_field => [ "event" ] }

or

mutate { remove_field => [ "[event][original]" ] }

PRASHANT_MEHTA · September 8, 2023, 3:12pm

Hello @Badger ,

Thanx for your quick response,I will test with this and check if this resolves.

system · October 6, 2023, 3:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to get rid of event.original field? Beats filebeat	7	10574	May 27, 2022
Couchdb_changes index only doc field from event Logstash	32	4250	July 6, 2017
Create new event in logstash filter Logstash	2	3318	July 6, 2017
Log.original field lost with upgrade 8.6.1 from 1.5.3 Elasticsearch ecs-elastic-common-schema	4	256	December 28, 2023
How to get rid of new field? Logstash	6	995	July 6, 2017

Remove event.original from logstash as it comes in every document of logstash version 8.8.2(ECS)

Related Topics