This is a cache of https://www.elastic.co/guide/en/beats/packetbeat/8.19/drop-fields.html. It is a snapshot of the page as it appeared on 2025-11-23T03:01:42.843+0000.
Drop field<strong>s</strong> from event<strong>s</strong> | Packetbeat Reference [8.19] | Ela<strong>s</strong>tic
« Drop events Extract array »
Elastic Docs Packetbeat Reference [8.19] Configure Packetbeat Filter and enhance data with processors

Drop fields from events

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Drop fields from events

edit

The drop_fields processor specifies which fields to drop if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always dropped. The @timestamp and type fields cannot be dropped, even if they show up in the drop_fields list.

processors:
  - drop_fields:
      when:
        condition
      fields: ["field1", "field2", ...]
      ignore_missing: false

see Conditions for a list of supported conditions.

If you define an empty list of fields under drop_fields, then no fields are dropped.

The drop_fields processor has the following configuration settings:

fields
If non-empty, a list of matching field names will be removed. Any element in array can contain a regular expression delimited by two slashes (/reg_exp/), in order to match (name) and remove more than one field.
ignore_missing
(Optional) If true the processor will not return an error when a specified field does not exist. Defaults to false.
« Drop events Extract array »