Truncate cmdline to save bandwith

kaem2111 · March 19, 2019, 9:12am

Hello,

I am using Version 6.6.0 and have some very long system.process.cmdline fieldvalues that I want to truncate within the (metric)beat agent. The only working possibility I know today is to drop the field:

processors:
- drop_fields:
    when:
        regexp:
            system.process.cmdline: ".* .* .* .* .* .* .* .* .* .* .* .*" 
    fields: [ "system.process.cmdline" ]

Do you plan to implement a truncate function?

Alternatively I could also imagine a construct using matching group as an easy to implement, quick win like:

processors:
- drop_fields:
    when:
        regexp:
            system.process.cmdline: "(.*) .* (.*) .* .* .* .* .* .* .* .* .*"
                returns: "text: $2 text: $1"
    fields: [ "system.process.cmdline" ]

Please let me know whether you want me to create a feature request in GitHub with your preferred option.

kvch · March 22, 2019, 9:40am

There is a truncate_field PR in progress right now: https://github.com/elastic/beats/pull/11297
It still needs a bit of work, but hopefully will be merged and released soon. Does it satisfy your needs? If you have any additional request, feel free to open an issue.

Topic		Replies	Views
Filter values in Metricbeat 8.7.0 Beats metricbeat	1	49	December 29, 2024
Dropping fields doesnt work Beats metricbeat	5	1444	August 22, 2017
Show "right" substring in Kibana visualisation Kibana	2	1429	February 21, 2017
[Metricbeat] system.process.cmdline often missing Beats	3	856	April 25, 2017
Drop_fields not working Beats metricbeat	2	521	May 17, 2018

Truncate cmdline to save bandwith

Related topics