Removing subfield in the elasticsearch output display

gisellecarballo · June 30, 2021, 7:48pm

Hi,
Anyone knows how to remove the subfield alone in the elasticsearch display output.
In the output there are fields "host: 192.x.x.x" "host.keyword: 192.x.x.x" I want to remove the host.keyword field.

Current filter:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
kv {
source => "message"
field_split => " "
}
mutate {
remove_field => [ "@version", "facility", "facility_label" ]
remove_field => [ "host.keyword", "logsource.keyword", "tags", "priority", "severity" ]
}
}

Web Dispaly:

Iker · June 30, 2021, 8:19pm

The "host.keyword" field is not present when Logstash is processing the document, is created when the document is indexed, you have to change in the mapping the type of the field, my understanding is that the field is mapped something like this:

	"host": {
		"ignore_above": 1024,
		"type": "keyword",
		"fields": {
			"text": {
				"norms": false,
				"type": "text"
			}
		}
	},

Given the type of value, maybe is better:

        "host": {
          "ignore_above": 1024,
          "type": "keyword"
        },

gisellecarballo · June 30, 2021, 9:07pm

Hi @Iker ,

Thanks for the reply. Im just new to elk. do you know where I can check the mapping ?
TIA!

Iker · July 1, 2021, 1:25am

Check what index is using, in Kibana UI you could look at the templates in the index management section.

system · July 29, 2021, 1:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.