Removing subfield in the elasticsearch output display

Hi,
Anyone knows how to remove the subfield alone in the elasticsearch display output.
In the output there are fields "host: 192.x.x.x" "host.keyword: 192.x.x.x" I want to remove the host.keyword field.

Current filter:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
kv {
source => "message"
field_split => " "
}
mutate {
remove_field => [ "@version", "facility", "facility_label" ]
remove_field => [ "host.keyword", "logsource.keyword", "tags", "priority", "severity" ]
}
}

Web Dispaly:

image2754×338 80.1 KB

The "host.keyword" field is not present when Logstash is processing the document, is created when the document is indexed, you have to change in the mapping the type of the field, my understanding is that the field is mapped something like this:

	"host": {
		"ignore_above": 1024,
		"type": "keyword",
		"fields": {
			"text": {
				"norms": false,
				"type": "text"
			}
		}
	},

Given the type of value, maybe is better:

        "host": {
          "ignore_above": 1024,
          "type": "keyword"
        },

Hi @Iker ,

Thanks for the reply. Im just new to elk. do you know where I can check the mapping ?
TIA!

Check what index is using, in Kibana UI you could look at the templates in the index management section.