Unable to exclude metricbeat metrics with drop_events

Elastic Stack Beats
1

I've tried quite a few different syntax and I'm not able to get metricbeat to exclude metrics. I'm not getting any errors on startup either.

Here is my config:

    setup:
      template:
        enabled: true
        name: "${INDEX_NAME:cluster-metrics}"
        pattern: "${INDEX_NAME:cluster-metrics}-*"
        fields: "fields.yml"
        settings:
          index.number_of_shards: 1
          index.number_of_replicas: 1
          index.lifecycle.name: "ilm_policy"
      ilm:
        enabled: false
      kibana:
        host: "${KIBANA_HOST:kibana.example.com:5601}"
        protocol: "${KIBANA_PROTOCOL:https}"
        ssl.verification_mode: "${KIBANA_VERIFYSSL:none}"
        username: "${KIBANA_USERNAME:kibana}"
        password: "${KIBANA_PASSWORD:password}"

    logging:
      level: "${LOG_LEVEL:warning}"
      to_stderr: true
      json: true

    metricbeat.autodiscover:
      providers:
        - type: kubernetes
          hints.enabled: true

    output.elasticsearch:
      hosts: "[${ELASTICSEARCH_HOST}:9200]"
      protocol: "${ELASTICSEARCH_PROTOCOL:https}"
      username: "${ELASTICSEARCH_USERNAME:elastic}"
      ssl.verification_mode: "${ELASTICSEARCH_VERIFYSSL:none}"
      password: "${ELASTICSEARCH_PASSWORD:welcome1}"
      index: "${INDEX_NAME}-%{[agent.version]}-%{+yyyy.MM.dd}"
      allow_older_versions: true

    processors:
      - drop_event.when:
          or:
          - equals:
              kubernetes.namespace: "azure-sql-exporter"
          - equals:
              kubernetes.namespace: "azure-sql-operator-system"
          - equals:
              kubernetes.namespace: "akv2k8s"
          - equals:
              kubernetes.namespace: "monitoring"

    metricbeat.modules:
    - module: prometheus
      metricsets: ["remote_write"]
      host: "localhost"
      port: "8080"

    - module: kubernetes
      enabled: true
      metricsets:
        - state_node
        - state_deployment
        - state_replicaset
        - state_pod
        - state_container
      period: 10s
      hosts: ["${KUBE_STATE_METRICS_HOSTS:kube-state-metrics:8080}"]
      ssl.verification_mode: "none"

    - module: kubernetes
      metricsets:
        - container
        - node
        - pod
        - system
        - volume
      period: 1m
      host: "${NODE_NAME}"
      hosts: ["https://${NODE_NAME}:10250"]
      bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
      ssl.verification_mode: "none"
      processors:
      - add_kubernetes_metadata: ~

    - module: kubernetes
      enabled: true
      metricsets:
        - event

    - module: system
      period: 1m
      metricsets:
        - filesystem
        - fsstat
      processors:
      - drop_event.when.regexp:
          system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib)($|/)'

    - module: system
      period: 1m
      metricsets:
        - cpu
        - load
        - memory
        - network
        - process
        - process_summary
      processes: ['.*']
      process.include_top_n:
        by_cpu: 5
        by_memory: 5

I'm still seeing metrics for these namespaces and pods come through, how can I exclude them?

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.