您能帮我解决一个关于metricbeat的问题吗?我试图设置一个新的drop_events(处理器),但没有成功。我想删除所有没有"系统"的事件。你能告诉我这样做是否可行吗?
看看我在metricbeat中设置了什么。yml文件
非常感谢你的帮助和时间
drop_event.when:
not:
has_fields: ['system']
遵循下面的示例:
{
"@timestamp": "2021-07-13T08:03:27.547Z",
"@metadata": {
"beat": "metricbeat",
"type": "_doc",
"version": "7.10.0"
},
"event": {
"dataset": "system.diskio",
"module": "system"
},
"metricset": {
"period": 60000,
"name": "diskio"
},
"fields": {
"uuid": "*********************************"
},
"ecs": {
"version": "1.6.0"
},
"agent": {
"hostname": "************",
"ephemeral_id": "****************************",
"id": "*************************************",
"name": "***********",
"type": "metricbeat",
"version": "7.10.0"
},
"service": {
"type": "system"
},
"host": {
"disk": {
"read.bytes": 237568,
"write.bytes": 2743296
},
"name": "**********"
},
"tag": "metricbeat",
"customer_id": "3"
}
提供的代码片段不遵循https://www.elastic.co/guide/en/beats/metricbeat/current/defining-processors.html中记录的处理器语法。
根据文档,应该是
processors:
- drop_event:
when:
not:
has_fields: ['system']