I am trying to whitelist a number of nested fields.
I first tried it using the prune filter but it seems that one does not support nested fields only top level fields.
I saw in this topic Logstash prune nested fields that there was an example for blacklisting nested fields using the ruby filter.
Can somebody help me with the same thing but for whitelisting ?
I tried to do it myself but ruby is very new for me so I am really struggling.
If you need to iterate over the contents of objects in the event then you would use a ruby filter like this. However, it is hard for me to even think of a syntax that would allow one to specify which nested fields should be whitelisted when an object can contain arrays within hashes and hashes within arrays.
here is an example of the data structure.
as an example I would only like to keep var1,var2 and var3
{ "events": { "var1": "aaa", "var2": "bbbb", "var3": true, "var4": "true", "time": 1646061099862, "var5": "tttt", "var6": "xxxxxxxxxxxx" } }
So this is what I would like to keep after the whitelisting
{ "events": { "var1": "aaa", "var2": "bbbb", "var3": true, } }
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.