Logstash prune Filter Plugin

Pulse - Elasticsearch Operations Done Right

On this page

Syntax Example Use Case Common Issues and Best Practices Frequently Asked Questions

The prune filter plugin in Logstash is used to remove specific fields from events based on defined criteria. This plugin is particularly useful when you want to reduce the size of your events by eliminating unnecessary or redundant fields, thus optimizing data processing and storage.

Syntax

The basic syntax for the prune filter plugin is as follows:

filter {
  prune {
    whitelist_names => [ "field1", "field2", ... ]
    blacklist_names => [ "field3", "field4", ... ]
    whitelist_values => { "field" => ["value1", "value2", ...] }
    blacklist_values => { "field" => ["value3", "value4", ...] }
  }
}

For more detailed information, refer to the official Logstash prune filter plugin documentation.

Example Use Case

Suppose you have log events with numerous fields, but you only want to keep specific fields for analysis. You can use the prune filter to keep only the desired fields:

filter {
  prune {
    whitelist_names => [ "timestamp", "user_id", "action", "status" ]
  }
}

This configuration will remove all fields from the event except for "timestamp", "user_id", "action", and "status".

Common Issues and Best Practices

  1. Be cautious when using blacklist_names, as it might inadvertently remove important fields if not configured correctly.
  2. Use whitelist_names when you know exactly which fields you want to keep, as it's generally safer than blacklisting.
  3. Remember that prune operates on the top-level fields by default. To prune nested fields, you may need to use additional plugins like ruby or mutate.
  4. Always test your prune filter configuration thoroughly to ensure you're not accidentally removing critical data.

Frequently Asked Questions

Q: Can the prune filter remove fields based on their values?
A: Yes, you can use the whitelist_values or blacklist_values options to remove fields based on their values.

Q: How does the prune filter handle nested fields?
A: By default, prune only operates on top-level fields. For nested fields, you may need to use additional plugins or a more complex configuration.

Q: Can I use regular expressions with the prune filter?
A: Yes, you can use regular expressions in the field names for both whitelist and blacklist options.

Q: What happens if I whitelist a field that doesn't exist in the event?
A: Nothing happens; the prune filter will simply ignore non-existent fields in its whitelist.

Q: Is it possible to combine whitelist and blacklist options in the same prune filter?
A: Yes, you can use both whitelist and blacklist options together, but be careful as this can lead to complex and potentially confusing configurations.

Pulse - Elasticsearch Operations Done Right

Pulse can solve your Elasticsearch issues

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.