Filebeat/Logstash remove unwanted fields & values from output

Question

My Filebeat configuration is very simple -

- input_type: log
  paths:
    - C:\log\FilebeatInputTest.txt

output.logstash:
  hosts: ["http://X.X.X.X:XXXX"]

if I write something in ilebeatInputTest.txt like - This is from Filebeat

I get output in Elastic search something like - ....... "index": "logstash-" "source" : { "@timestamp": "2017-05-19T06:41:02.663Z", "beat": { "hostname": "CHITTARS02", "name": "CHITTARS02", "version": "5.4.0" }, "input_type": "log", "message": "This is from Filebeat", "offset": 23, "source": "C:\\log\\FilebeatInputTest.txt", "type": "log" } .....

My pipeline is Filebeat(monitoring FilebeatInputTest.txt) > Logstash > Elasticsearch

logstash.cnf as follows -

input {

    beats {
        port => 25000
    }
}
output {

    elasticsearch {
        hosts => ["http://xx.xx.xx.xx:XX"]
        user => "elastic"
        password => "changeme"
    }
}

Problem : Can I remove all unwanted keys & values from output? That is, I want my output should be something like -

....... "index": "logstash-" "source" : { "message": "This is from Filebeat", } ......

I want to remove "@timestamp", "beat","input_type""offset","source","type"

I tried with following -

filter{
    prune {
        blacklist_names => ["@timestamp", "beat","input_type""offset","source","type"]
    }

}

And

filter{
    mutate {
        remove_field => ["@timestamp", "beat","input_type""offset","source","type"]
    }
}

But no help, results are same

Answer 1

Another solution is to remove these fields with filebeat.

processors:
  - add_host_metadata: ~
  - drop_fields:
    fields: ["type", "@version", "offset", "tags"]

Answer 2

You're using the correct method, but there's a typo in your remove_field list. You missed a comma. It should be:

filter{
    mutate {
        remove_field => [ "@timestamp", "beat", "input_type", "offset", "source", "type" ]
    }
}

Answer 3

May guess is that you forget to put the port in quotes; that is instead of 25000 used "25000". Try this

input {

    beats {
        port => "25000"
    }
}

filter{
    mutate {
        remove_field => ["@timestamp", "beat","input_type","offset","source","type","@version","host","tags"]
    }
}

output {

    elasticsearch {
        hosts => ["http://xx.xx.xx.xx:XX"]
        user => "elastic"
        password => "changeme"
    }
}

Input

This is from Filebeat

Output

{
    "_index" : "logstash-",
    "_type" : "logs",
    "_id" : "AVwglLbLfqaeaIoZluvE",
    "_score" : 1.0,
    "_source" : {
      "message" : "This is from Filebeat"
    }
}

I also removed the fields "@version","host" and "tags".

Hope this helps.