Rename filebeat default fields

filebeater · June 1, 2017, 11:59pm

Is there a way for me to rename "beat.hostname" to "hostname" in filebeat output?

the documentation mentioned filter, but this seems like a filter setup in logstash, not in filebeat, right?
per https://www.elastic.co/guide/en/beats/filebeat/current/migration-changed-fields.html,
I included the following in filebeat.yml, filebeat complained about the syntax "Exiting: error loading config file: yaml: line 71: could not find expected ':'"

filter {
    mutate {
        rename => {
            "filebeat.hostname" => "hostname"
        }
    }
}

andrewkroh · June 2, 2017, 2:20am

It can be done using Logstash or using the Ingest Node feature in Elasticsearch.

Right, that is a Logstash filter example.

filebeater · June 2, 2017, 5:08pm

Thanks for the clarification. that is a bummer, we would like to deploy filebeat only at the edge server, and remove those unnecessary fields before sending them out.

Btw, just to make sure I understand this, log stash is heavy weight, not supposed to deployed at the edge server (where our production service is running), right?

andrewkroh · June 2, 2017, 5:45pm

You can remove the fields with Filebeat alone. You just cannot rename them.

processors:
- drop_fields:
    fields: ['beat.hostname']

With an ingest node pipeline in Elasticsearch you can rename the fields and this only requires Filebeat and Elasticsearch.

You could deploy LS on your edge nodes. It will likely have a larger memory footprint than Filebeat. If your only task is sending a logs then I would recommend Filebeat.

filebeater · June 2, 2017, 7:35pm

@andrewkroh is it possible to remove "@timestamp" and "type"?

thanks!
yan

andrewkroh · June 2, 2017, 7:54pm

Those fields are protected from being removed because they are used by some of the outputs in beats. But you can drop them with the ingest node remove processor.

filebeater · June 6, 2017, 10:48pm

I currently set up filebeat and logstash on the same machine in my local dev box, config filebeat to send output to logstash. In my logstash output, beat.hostname and host have the same value. I read the following in the filebeat documentation. I would like to confirm that host is indeed directly copied from beat.hostname, such that
when i deploy filebeat and logstash on different servers, they would still have the same values and I can safely remove "beat" field in logstash filter. I would like to keep the hostname of the edge server where filebeat is located.
Could someone please correct me if i mis-interpreted the following? If my understanding is correct, why duplicated fields are kept by default?

Filebeat uses "beat.hostname" for Sending the Hostname of the Server. While the Logstash Forwarder sends the hostname of the server it’s running on in the host field, Filebeat uses the beat.hostname field for the same purpose.
Because host is commonly used in the Logstash plugin ecosystem, the Beats input plugin automatically copies beat.hostname into host.

system · July 4, 2017, 10:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to rename filebeat fields Beats filebeat	5	1859	July 11, 2018
How to replace the value of beat.hostname? Beats filebeat	2	12720	July 22, 2016
Disable 'Host' output field from filebeat Beats filebeat	4	2668	November 9, 2018
How to avoid host.name field in filebeat Beats filebeat	5	1351	April 18, 2023
Rename event fields Beats filebeat	2	854	November 15, 2016

Rename filebeat default fields

Related topics