Remove event.original from logstash as it comes in every document of logstash version 8.8.2(ECS)

PRASHANT_MEHTA · September 8, 2023, 1:34pm

Hello All,

I am facing major issue with logstash after migration from 7.9.1 to 8.8.2 version.
Elasticsearch/Logstash 8.X version has ECS compatibility enabled by default.This adds new field
event.original in every document indexed in elasticsearch from logstash.
To ignore above field i.e event.original we've added pipeline.ecs_compatibility: disabled in logstash.yml and it eliminates required field.

But it also eliminates other necessary fields like host.name(This value is required by us)
Plz suggest us some solution how to handle this .

Thanks

Badger · September 8, 2023, 1:45pm

You could use

mutate { remove_field => [ "event" ] }

or

mutate { remove_field => [ "[event][original]" ] }

PRASHANT_MEHTA · September 8, 2023, 3:12pm

Hello @Badger ,

Thanx for your quick response,I will test with this and check if this resolves.

system · October 6, 2023, 3:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash 8.x ecs.compatibility mode adds event.original Logstash	1	1846	July 18, 2022
How to get rid of event.original field? Beats filebeat	7	10728	May 27, 2022
Logstash 8.0 is adding extra field Logstash	4	2137	April 1, 2022
Couchdb_changes index only doc field from event Logstash	32	4251	July 6, 2017
Event.original field Elasticsearch	1	1337	April 20, 2022

Remove event.original from logstash as it comes in every document of logstash version 8.8.2(ECS)

Related topics