The processors only filter part of message

Augustus1995 · December 3, 2017, 3:05pm

Hi, i want to use filebeat send message to elasticsearch directly. And i use processors as a filter to drop some useless fields. But when i check message from kibana only half messages drop fields. And i only run one filebeat. so is there have some solutions to let all messages drop fields.

here is my filebeat.yml

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - h:\log\*
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
output.elasticsearch:
  hosts: ["localhost:9200"]
processors:
- drop_fields:
    fields: ["offset", "_score", "_version","beat"]

And the pic of my kibana:

what's more, can i decode the json in the "message"?
i have try- decode_json_fields: but it didn't work

Christian_Dahlqvist · December 3, 2017, 3:40pm

_score and _version are internal Elasticsearch fields, so do not exist in Filebeat and can not be dropped.

Augustus1995 · December 3, 2017, 3:43pm

but what about offset and beat it is in the _source and why in some message i could drop it but the other not

steffens · December 4, 2017, 1:31pm

How many filebeat instances have you running? Can you not exclude the beat field?

system · January 1, 2018, 1:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.