Truncate cmdline to save bandwith

kaem2111 · March 19, 2019, 9:12am

Hello,

I am using Version 6.6.0 and have some very long system.process.cmdline fieldvalues that I want to truncate within the (metric)beat agent. The only working possibility I know today is to drop the field:

processors:
- drop_fields:
    when:
        regexp:
            system.process.cmdline: ".* .* .* .* .* .* .* .* .* .* .* .*" 
    fields: [ "system.process.cmdline" ]

Do you plan to implement a truncate function?

Alternatively I could also imagine a construct using matching group as an easy to implement, quick win like:

processors:
- drop_fields:
    when:
        regexp:
            system.process.cmdline: "(.*) .* (.*) .* .* .* .* .* .* .* .* .*"
                returns: "text: $2 text: $1"
    fields: [ "system.process.cmdline" ]

Please let me know whether you want me to create a feature request in GitHub with your preferred option.

kvch · March 22, 2019, 9:40am

There is a truncate_field PR in progress right now: https://github.com/elastic/beats/pull/11297
It still needs a bit of work, but hopefully will be merged and released soon. Does it satisfy your needs? If you have any additional request, feel free to open an issue.

system · April 19, 2019, 9:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.