Hello,
can anybody explain me what does the following filter do ?
filter {
if [@metadata][input-http] {
date {
match => [ "date", "UNIX" ]
remove_field => [ "date" ]
}
mutate {
remove_field => ["headers","host"]
}
}
}
if the @metadata tag contains "input-http" then:
Use the "date" field (which is in UNIX Epoch format) and turn it into the @timestamp field (by default)
Then remove the "date" field (since the info is now in @timestamp)
Next use the mutate filter and remove the two fields "headers" and "host"
End.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.