IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Drop events Extract array »
Elastic Docs Fleet and Elastic Agent Guide [8.15] Define processors

Drop fields from events

edit

Drop fields from events

edit

The drop_fields processor specifies which fields to drop if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always dropped. The @timestamp and type fields cannot be dropped, even if they show up in the drop_fields list.

Example

edit
  - drop_fields:
      when:
        condition
      fields: ["field1", "field2", ...]
      ignore_missing: false

If you define an empty list of fields under drop_fields, no fields are dropped.

Configuration settings

edit

Elastic Agent processors execute before ingest pipelines, which means that your processor configurations cannot refer to fields that are created by ingest pipelines or Logstash. For more limitations, refer to What are some limitations of using processors?

Name Required Default Description

fields

Yes

If non-empty, a list of matching field names will be removed. Any element in array can contain a regular expression delimited by two slashes (/reg_exp/), in order to match (name) and remove more than one field.

ignore_missing

No

false

If true, the processor ignores missing fields and does not return an error.

See Conditions for a list of supported conditions.

« Drop events Extract array »