Skip to content

Commit

Permalink
Ignore missing fields in Zeek module in drop_fields (elastic#19984)
Browse files Browse the repository at this point in the history
  • Loading branch information
kvch authored Jul 20, 2020
1 parent a6bac24 commit c60f849
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix tls mapping in suricata module {issue}19492[19492] {pull}19494[19494]
- Fix bug with empty filter values in system/service {pull}19812[19812]
- Fix S3 input to trim delimiter /n from each log line. {pull}19972[19972]
- Ignore missing in Zeek module when dropping unecessary fields. {pull}19984[19984]

*Heartbeat*

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ json.keys_under_root: false
processors:
- drop_fields:
fields: ["json.orig_bytes","json.resp_bytes","json.tunnel_parents"]
ignore_missing: true
- rename:
fields:
- from: "json"
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/module/zeek/files/config/files.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ json.keys_under_root: false
processors:
- drop_fields:
fields: ["json.x509"]
ignore_missing: true
- rename:
fields:
- from: "json"
Expand Down
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/zeek/notice/config/notice.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ json.keys_under_root: false
processors:
- drop_fields:
fields: ["json.actions"]
ignore_missing: true
- rename:
fields:
- from: "json"
Expand Down Expand Up @@ -79,6 +80,7 @@ processors:

- drop_fields:
fields: ["zeek.notice.remote_location", "zeek.notice.f"]
ignore_missing: true
- convert:
fields:
- {from: "zeek.session_id", to: "event.id"}
Expand Down

0 comments on commit c60f849

Please sign in to comment.