Remove fields with specific prefix at the end of LogStash pipeline

itokai · August 19, 2021, 6:53am

Hello,

how to remove children fields with specific prefix at the end of LogStash pipeline?

parent.level2.level3.removewiththisprefix_1, parent.level2.level3.removewiththisprefix_2,... parent.level2.level3.removewiththisprefix_X

Have tried with Mutate filter but it doesn't recognize regexp

filter {
      mutate {
        remove_field => [ "parent.level2.level3.removewiththisprefix_*", "removewiththisprefix_*" ]
      }
    }

and also with custom ruby block, but what path to use in order to reach children?

ruby {
    code => '
        event.to_hash.each { |k, v|
           if event.get(k).start_with?("removewiththisprefix_")
               event.remove(k)
           end
        }
        '
    }

Suffixes of those fields are unpredictable, that's why need to rely on prefix. Their amount can be big, so they have to go away before writing document to index. Any steady suggestion is welcome!

Regards

Badger · August 19, 2021, 1:23pm

See this thread.

system · September 16, 2021, 1:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to remove subfield using ruby Logstash	5	5659	January 2, 2017
Removing specific fields Logstash	2	300	May 28, 2018
Removing fields with certain value (or if mapping is not found) from the output Logstash	8	2296	June 12, 2019
Remove Specific Field matching pattern Logstash	5	764	April 19, 2023
RUBY Logstash Remove field without suffix Logstash	2	513	September 24, 2018

Remove fields with specific prefix at the end of LogStash pipeline

Related topics