Removing fields for certain outputs

kerneldemon · December 30, 2015, 11:40am

Hi there

I want to process certain log data using logstash and then pipe it to multiple outputs.
The data I wish to process always contains sensitive fields that I wish to send to some of the outputs and remove for others.

This is the gist of what I'm trying to do:

output {
  elasticsearch {
     # the whole event
  }
  rabbitmq {
     # the whole event MINUS the sensitive fields
  }

  # other outputs (some of them receive all of the event fields and some of them receive everything except the sensitive fields)
  # ...
}

I can see that is it's possible to remove the field for all of the outputs, but I only want to do that for some of them. Is this possible in a single configuration?

Christian_Dahlqvist · December 30, 2015, 11:46am

I have seen this requested before and a workaround for this is to create one event per output using the clone filter and then format these separately and send them to the correct output using conditionals. It is not terribly elegant but usually works.

kerneldemon · December 30, 2015, 12:39pm

Yeah, that seems to work pretty well. Thanks for the tip!

Topic		Replies	Views
Select fields for multiple outputs Logstash	8	5472	July 6, 2017
Logstash, Input RabbitMQ Logstash	2	366	August 10, 2017
Can I filter the Output data separately?! Logstash	9	10881	August 31, 2018
How to write only specific fields to elasticsearch from logstash Logstash	5	10996	July 6, 2017
Logstash Remove Field Output Issue Logstash	11	3721	February 24, 2017

Removing fields for certain outputs

Related topics