I recently started working with Packetbeat.
For my use-case, I only need some specific fields (to the point where if I could I would completely rewrite the mapping, but am leaving that as a last resort).
I tried removing some of the fields from the "dns.answers" array of objects, but what I did doesn't seem to have any effect:
- include_fields:
fields:
- dns.question.name
- dns.question.type
- dns.answers
- dns.answers_count
- dns.resolved_ip
- drop_fields:
fields:
- dns.answers.name
In addition, I also tried including only the fields I want but that didn't seem to work either, e.g:
- include_fields:
fields:
- dns.question.name
- dns.question.type
- dns.answers.data
- dns.answers_count
- dns.resolved_ip
Any ideas? If rewriting the template/mapping of the index is the best choice, or perhaps using the Ingest Node Pipelines is a better approach, I'd love to hear it.
Thanks