Removing fields for certain outputs

kerneldemon · December 30, 2015, 11:40am

Hi there

I want to process certain log data using logstash and then pipe it to multiple outputs.
The data I wish to process always contains sensitive fields that I wish to send to some of the outputs and remove for others.

This is the gist of what I'm trying to do:

output {
  elasticsearch {
     # the whole event
  }
  rabbitmq {
     # the whole event MINUS the sensitive fields
  }

  # other outputs (some of them receive all of the event fields and some of them receive everything except the sensitive fields)
  # ...
}

I can see that is it's possible to remove the field for all of the outputs, but I only want to do that for some of them. Is this possible in a single configuration?

Christian_Dahlqvist · December 30, 2015, 11:46am

I have seen this requested before and a workaround for this is to create one event per output using the clone filter and then format these separately and send them to the correct output using conditionals. It is not terribly elegant but usually works.

kerneldemon · December 30, 2015, 12:39pm

Yeah, that seems to work pretty well. Thanks for the tip!

Topic		Replies	Views
Select fields for multiple outputs Logstash	8	5554	July 6, 2017
Selective fields per output Logstash	2	1809	July 6, 2017
How to write only specific fields to elasticsearch from logstash Logstash	5	11253	July 6, 2017
Elasticsearch output filter Logstash	2	386	December 9, 2016
Single input with different filter and output Logstash	5	1687	June 4, 2018

Removing fields for certain outputs

Related topics