linnur
Reputation: 1
How to remove unwanted fields logstash (ELK)
How can I remove unnecessary fields? Type: agent.ephemeral_id agent.id winlog.provider_guid
I tried, but Kibana stops showing logs at all
- drop_fields:
fields: ["date_created", "ecs.version", "agent.version", "agent.type", "agent.id"]
In logstash I have these configs: filter.conf, input.conf, output.conf
Filter:
filter {
if "winsrvad" in [tags] {
if [winlog][event_id] != "5136" and [winlog][event_id] !=ent_id] != "4729" and id] != "4734" {
drop { }
}
}
}
Upvotes: 0
Views: 2529
Answers (3)
Minh Vu
Reputation: 51
The drop option will ignore the entire log, you can use remove_field option inside the mutate plugin instead.
For example:
mutate {
remove_field => [
"date_created",
"[ecs][version]",
"[agent][version]",
"[agent][type]",
"[agent][id]"
]
}
I have written a detailed tutorial for this: How to Remove Field in Logstash.
Upvotes: -2
Ashok
Reputation: 1
You can use mutate;like below
mutate {
remove_field => [ "date_created", "ecs.version", "agent.version", "agent.type", "agent.id"]
}
Upvotes: 0
Shiva Janssens
Reputation: 71
I would suggest using prune to blacklist the 'unnecessary fields' when the condition is met.
See documentation: https://www.elastic.co/guide/en/logstash/current/plugins-filters-prune.html
Upvotes: 1
Related Questions
- Logstash filter remove_field for all fields except a specified list of fields
- how to remove field in logstash output
- Removing unwanted fields in Logstash configuration file
- Leave out default Logstash fields in ElasticSearch
- Eliminate the top-level field in Logstash
- Logstash remove fields by regex
- Logstash - remove deep field from json file
- How to deal with empty fields in Logstash
- logstash add_field and remove_field
- Remove unnecessary fields in ElasticSearch