if "[response][body][entries][values]" == '^n1D.*' { drop { } }
This will not work because it is checking if the field value is exactly equal to that string, it is not a regexp match (which would be =~ instead of ==) and it is testing the field value, not the field name.
ruby {
code => "
event.to_hash.keys.each { |k|
if k.start_with?('n1D')
event.remove(k)
end
}
"
}
This does not work because it only tests the top-level fields (e.g [response] in your example). If you just need to do this for that one field you could try
ruby {
code => '
v = event.get("[response][body][entries][values]")
if v.is_a? Hash
v.to_hash.keys.each { |k|
if k.start_with?("n1D")
event.remove(k)
end
}
end
'
}
If you need to recursively process all fields of an event then see this thread.