This Metricbeat event is not indexable in ElasticSearch due to the
"18446744073709551615" value.
{
"@timestamp" => 2017-10-24T14:48:53.950Z,
"system" => {
"process" => {
"memory" => {
"share" => 0,
"rss" => {
"pct" => 0.0,
"bytes" => 0
},
"size" => 0
},
"pgid" => 0,
"name" => "host-0000",
"pid" => 8529,
"state" => "sleeping",
"cgroup" => {
"blkio" => {
"path" => "/private/data",
"total" => {
"ios" => 240124,
"bytes" => 4509523968
},
"id" => "privatedata"
},
"cpu" => {
"path" => "/private/data",
"cfs" => {
"shares" => 1024,
"period" => {
"us" => 100000
},
"quota" => {
"us" => 0
}
},
"rt" => {
"runtime" => {
"us" => 0
},
"period" => {
"us" => 0
}
},
"id" => "emulator",
"stats" => {
"periods" => 0,
"throttled" => {
"periods" => 0,
"ns" => 0
}
}
},
"memory" => {
"path" => "/private/data",
"mem" => {
"limit" => {
"bytes" => 18446744073709551615
},
"failures" => 0,
"usage" => {
"max" => {
"bytes" => 5487312896
},
"bytes" => 4822638592
}
},
"id" => "privatedata"
},
},
"fd" => {
"limit" => {
"soft" => 1024,
"hard" => 4096
},
"open" => 0
},
"username" => "root",
"ppid" => 2
}
},
"beat" => {
"name" => "metrics",
"hostname" => "myhost",
"version" => "5.6.2"
},
"@version" => "1",
"host" => "myhost",
"metricset" => {
"name" => "process",
"rtt" => 185656,
"module" => "system"
},
"type" => "metricsets",
"tags" => [
[0] "beats_input_raw_event"
]
}
I am trying to use a Logstash filter to drop the event. Using this guide https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html to access the event data, I would have thought this would work:
filter {
if [system][process][cgroup][memory][mem][limit][bytes] == "18446744073709551615" {
drop {}
}
}
But it doesn't. Does anyone know what is wrong with my config?
Thanks!
