beats icon indicating copy to clipboard operation
beats copied to clipboard
verified publisher icon elastic

Unable to drop or truncate the 'message' field

Open ag-michael opened this issue 2 years ago • 2 comments

Hi,

I am using the latest winlogbeat and I am unable to drop the "message" field using the drop_fields filter plugin config:

filter:
  - drop_fields:
      fields: [event_data.Binary, message]

As suggested here: https://discuss.elastic.co/t/add-winlogbeat-option-to-truncate-security-message-field-to-just-first-line/49409

Using the processors section drop fields directive as mentioned here: https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-reference-yml.html

or

Truncating it using a copy-paste of the example in the docs here: https://www.elastic.co/guide/en/beats/winlogbeat/master/truncate-fields.html

The 'message' field is a duplicate of parsed json data, removing it would save on a lot of bandwdith and storage, is there no way to do this? From what I've read in the docs, 'message' is the field used in the examples, so this should be possible. However, no matter what I've tried it keeps showing up in the destination logstash no matter what.

ag-michael avatar May 22 '23 01:05 ag-michael

This issue doesn't have a Team:<team> label.

botelastic[bot] avatar May 22 '23 01:05 botelastic[bot]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

botelastic[bot] avatar May 21 '24 02:05 botelastic[bot]