Remove fields with specific prefix at the end of LogStash pipeline

itokai · August 19, 2021, 6:53am

Hello,

how to remove children fields with specific prefix at the end of LogStash pipeline?

parent.level2.level3.removewiththisprefix_1, parent.level2.level3.removewiththisprefix_2,... parent.level2.level3.removewiththisprefix_X

Have tried with Mutate filter but it doesn't recognize regexp

filter {
      mutate {
        remove_field => [ "parent.level2.level3.removewiththisprefix_*", "removewiththisprefix_*" ]
      }
    }

and also with custom ruby block, but what path to use in order to reach children?

ruby {
    code => '
        event.to_hash.each { |k, v|
           if event.get(k).start_with?("removewiththisprefix_")
               event.remove(k)
           end
        }
        '
    }

Suffixes of those fields are unpredictable, that's why need to rely on prefix. Their amount can be big, so they have to go away before writing document to index. Any steady suggestion is welcome!

Regards

Badger · August 19, 2021, 1:23pm

See this thread.

system · September 16, 2021, 1:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to remove subfield using ruby Logstash	5	5657	January 2, 2017
Remove Specific Field matching pattern Logstash	5	754	April 19, 2023
Logstash, remove all fields that contain a specific value Logstash	2	191	July 6, 2023
Working with child fields Logstash	4	773	July 6, 2017
Wildcards in logstash remove_field Logstash	12	3590	August 14, 2020

Remove fields with specific prefix at the end of LogStash pipeline

Related Topics