Remove unnecessary exported fields

s.buksa · October 24, 2023, 9:35pm

Hello,
Is there any way how to remove unnecessary exported fields before indexing?
Using Elastic Agent integration, and along with it comes many exported fields. Tried Elastic Agent processor "drop_fields", but all listed fields for dropping still apears in document. Another option would be to use ingestion pipeline, but at this point it would be more costly and processing in the Agent itself is more preffered.

Just a short example used in configuration file:

processors:
  - drop_fields:
      fields:
        - "cloud.provider"
        - "cloud.region"
        - "host.mac"
        - "host.os.family"
        - "host.os.kernel"
        - "host.os.name"
        - "host.os.codename"
     ignore missing: true

stephenb · October 25, 2023, 1:11am

Hi @s.buksa

What version are you using?

If I recall, unfortunately most of those fields, the host, and agent fields are actually added after The agent processors are run.

I agree, not ideal. So I am fairly sure you're going to have to drop them in an ingest pipeline after they arrive at Elasticsearch.

I'm not sure if the fix of this is on our roadmap, but you certainly can open an issue if you'd like.

s.buksa · October 25, 2023, 5:35am

Hi,
Thank you for your reply. I'm using version 8.9.2.

system · December 15, 2023, 3:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remove unnecessary apm fields APM	2	511	August 21, 2019
How to remove fields not required when sending logs via elastic agent Elastic Agent	3	357	December 9, 2023
Add_field processor on empty env provider fields stop ingest Beats elastic-agent	1	203	October 17, 2023
Drop Events while using elastic kubernetes integration to collect logs Elasticsearch	4	164	April 22, 2024
Removing fields from Index Beats windows	5	1038	May 6, 2022

Remove unnecessary exported fields

Related topics