Remove event.original from logstash as it comes in every document of logstash version 8.8.2(ECS)

PRASHANT_MEHTA · September 8, 2023, 1:34pm

Hello All,

I am facing major issue with logstash after migration from 7.9.1 to 8.8.2 version.
Elasticsearch/Logstash 8.X version has ECS compatibility enabled by default.This adds new field
event.original in every document indexed in elasticsearch from logstash.
To ignore above field i.e event.original we've added pipeline.ecs_compatibility: disabled in logstash.yml and it eliminates required field.

But it also eliminates other necessary fields like host.name(This value is required by us)
Plz suggest us some solution how to handle this .

Thanks

Badger · September 8, 2023, 1:45pm

You could use

mutate { remove_field => [ "event" ] }

or

mutate { remove_field => [ "[event][original]" ] }

PRASHANT_MEHTA · September 8, 2023, 3:12pm

Hello @Badger ,

Thanx for your quick response,I will test with this and check if this resolves.

system · October 6, 2023, 3:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash 8.0 is adding extra field Logstash	4	2288	April 1, 2022
Logstash 8.x ecs.compatibility mode adds event.original Logstash	1	2063	July 18, 2022
Remove a field from logstash Logstash	1	524	August 8, 2017
How to get rid of event.original field? Beats filebeat	7	12374	May 27, 2022
Remove event received from Metricbeat to Logstash Beats metricbeat	3	1081	June 8, 2017

Remove event.original from logstash as it comes in every document of logstash version 8.8.2(ECS)

Related topics