Remove some fields about logstash

f26227279 · August 26, 2017, 1:10pm

Hi everyone,
I add three fields: day,month,year to adjust my index time.
But I want to remove these three fields.
How can I do .

input {
stdin { }
}
filter {
	
    grok {
            match => { "message" => '%{SYSLOGTIMESTAMP} %{IPV4:iphost} date=%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{GREEDYDATA:fgtlogmsg}'
            }
			match => { "message" => '<%{NONNEGINT:syslog_pri}>date=%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{GREEDYDATA:fgtlogmsg}'
            }
			
    }
	
    kv {
            source => "fgtlogmsg"
			remove_field => ["fgtlogmsg"]
    }

	syslog_pri { }
	if "_grokparsefailure" in [tags] {
	drop { }
}
}
output {
    elasticsearch {
            codec => "json" 
            hosts => ["127.0.0.1:9200"]
			index => "logstash-%{year}-%{month}-%{day}"
            
    }
    stdout { codec => rubydebug }
}

thank you in advance : )

immavalls · August 27, 2017, 6:40am

Could you use metadata, instead of fields? See https://www.elastic.co/blog/logstash-metadata.

system · September 24, 2017, 6:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can not remove "tags" field? Logstash	1	2364	December 21, 2016
Remove field in output plugin Logstash	3	2943	July 6, 2017
Remove a field from logstash Logstash	1	513	August 8, 2017
Elastic Json parse into logstash Logstash	30	1201	November 22, 2018
Can't remove fields in logstash 5.2.2 Logstash	5	805	April 12, 2017

Remove some fields about logstash

Related topics