Created
December 9, 2013 22:26
-
-
Save Tombar/7882116 to your computer and use it in GitHub Desktop.
logstash remove fields with mutate filter
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| mutate { | |
| remove_field => ['geoip.areacode', 'geoip.continent_code', 'geoip.country_code3', 'geoip.country_name', 'geoip.dma_code', | |
| 'geoip.latitude', 'geoip.longitude', 'geoip.postal_code', 'geoip.real_region_name', | |
| 'ua.minor', 'ua.major', 'ua.os_minor', 'ua.os_major', 'ua.patch', 'ua.os_name' ] | |
| } |
FTR, to get it to work with a JSON hierarchy, fields must be defined with the following notation
mutate {
remove_field => [ '[geoip][continent_code]', '[geoip][country_code3]', '[geoip][country_name]', '[geoip][dma_code]', '[geoip][ip]',
'[geoip][latitude]', '[geoip][longitude]', '[geoip][postal_code]', '[geoip][real_region_name]', '[geoip][area_code]',
'[ua][minor]', '[ua][major]', '[ua][os_minor]', '[ua][os_major]', '[ua][patch]' ]
}
Just wanted to say that the last comment solved my json hierarchy problem after days of fighting with it. Thank you!
glad this helped you :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
input {
stdin {
add_field => { 'geoip.areacode' => 'adas' }
add_field => { 'ua.minor' => 'asdasd' }
add_field => { 'other.field' => 'dasdas' }
}
}
filter {
mutate {
remove_field => ['geoip.areacode', 'geoip.continent_code', 'geoip.country_code3', 'geoip.country_name', 'geoip.dma_code', 'geoip.ip',
'geoip.latitude', 'geoip.longitude', 'geoip.postal_code', 'geoip.real_region_name',
'ua.minor', 'ua.major', 'ua.os_minor', 'ua.os_major', 'ua.patch', 'ua.os_name' ]
}
}
output {
stdout { }
}