The processors only filter part of message

Augustus1995 · December 3, 2017, 3:05pm

Hi, i want to use filebeat send message to elasticsearch directly. And i use processors as a filter to drop some useless fields. But when i check message from kibana only half messages drop fields. And i only run one filebeat. so is there have some solutions to let all messages drop fields.

here is my filebeat.yml

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - h:\log\*
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
output.elasticsearch:
  hosts: ["localhost:9200"]
processors:
- drop_fields:
    fields: ["offset", "_score", "_version","beat"]

And the pic of my kibana:

what's more, can i decode the json in the "message"?
i have try- decode_json_fields: but it didn't work

Christian_Dahlqvist · December 3, 2017, 3:40pm

_score and _version are internal Elasticsearch fields, so do not exist in Filebeat and can not be dropped.

Augustus1995 · December 3, 2017, 3:43pm

but what about offset and beat it is in the _source and why in some message i could drop it but the other not

steffens · December 4, 2017, 1:31pm

How many filebeat instances have you running? Can you not exclude the beat field?

Topic		Replies	Views
Filebeat didn't drop some of the fields Beats filebeat	2	4035	June 19, 2017
Unable to Drop desired fields using drop_fields processors in filebeat Beats filebeat	3	1380	March 26, 2021
Filebeats not dropping agent.* fields Beats filebeat	4	2556	November 20, 2019
Drop agent / ecs fields from filebeat (previous solves here only partially work) Beats filebeat	1	440	June 8, 2022
Filebeat drop_fields processors module does not work Beats filebeat	1	302	December 14, 2021

The processors only filter part of message

Related topics