当前,我使用Beats Input将Filebeat 6.6.0直接连接到graylog 3.0.0。我以前删除了logstash配置中filebeat中的某些字段,如下所示:
mutate {
remove_field => [ "[prospector][type]","[host][architecture]", "[host][containerized]", "[host][id]", "[host][os][platform]", "[host][os][family]","[beat][version]", "[offset]", "[input][type]", "[meta][cloud][provider]", "[meta][cloud][machine_type]", "[meta][cloud][instance_id]", "[meta][cloud][region]", "[meta][cloud][instance_name]", "[source]"]
}
在Graylog中,我学会了使用管道删除任何字段。然后,我创建了如下规则以删除字段:
rule "function removeFields"
when
has_field("beats_type")
then
remove_field("beats_type");
remove_field("filebeat_@metadata_beat");
remove_field("filebeat_@metadata_type");
remove_field("filebeat_@metadata_version");
remove_field("filebeat_@timestamp");
remove_field("filebeat_beat_hostname");
remove_field("filebeat_beat_name");
remove_field("filebeat_host_architecture");
remove_field("filebeat_host_containerized");
remove_field("filebeat_host_id");
remove_field("filebeat_host_name");
remove_field("filebeat_host_os_codename");
remove_field("filebeat_host_os_family");
remove_field("filebeat_host_os_name");
remove_field("filebeat_host_os_platform");
remove_field("filebeat_host_os_version");
remove_field("filebeat_input_type");
remove_field("filebeat_meta_cloud_instance_id");
remove_field("filebeat_log_file_path");
remove_field("filebeat_meta_cloud_instance_name");
remove_field("filebeat_meta_cloud_machine_type");
remove_field("filebeat_meta_cloud_provider");
remove_field("filebeat_meta_cloud_region");
remove_field("filebeat_prospector_type");
end
我按照以下步骤测试更改: 停止filebeat,graylog,mongodb 重置注册表中的偏移量 删除graylog_0索引:
curl -XDELETE localhost:9200/graylog_0
启动mongodb,graylog,filebeat
但是,我仍然在搜索中包含以下字段:
如何摆脱filebeat字段?
非常感谢您的帮助