How to filter and drop events in Filebeat

Filtering noisy events at the Filebeat edge keeps Elasticsearch data streams smaller, reduces ingest overhead, and prevents repetitive health checks or debug chatter from crowding dashboards, searches, and alerts.

Filebeat reads each event, runs its processor list in order, and ships only the transformed result. The drop_event processor discards the entire event when its when condition matches, while drop_fields removes selected fields from events that still need to be indexed.

On Linux package installs, processor rules usually live in /etc/filebeat/filebeat.yml and take effect only after a successful config test and service restart. Current Elastic docs still require a when condition for drop_event, and drop_fields still cannot remove @timestamp or type, so filters should stay specific and field-drop or rename processors should be placed at the end of the list.

Related: How to configure Filebeat processors
Related: How to configure Filebeat inputs

Steps to filter and drop events in Filebeat:

  1. Create a backup of the current Filebeat configuration before editing processor rules. 
    $ sudo cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak

    Restore the previous settings quickly by copying filebeat.yml.bak back over filebeat.yml if a later config test fails.

  2. Open the Filebeat configuration file. 
    $ sudo nano /etc/filebeat/filebeat.yml
  3. Add or update the relevant processors: list with explicit drop rules for the events that should never leave the agent. 
    processors:
  - drop_event:
      when:
        or:
          - equals:
              log.level: "debug"
          - regexp:
              message: '^GET /healthz\b'
  - drop_fields:
      fields:
        - "agent.ephemeral_id"
        - "log.offset"
      ignore_missing: true

    Keep a single top-level processors: block when the rules should affect every input. To scope the same logic to one source only, place the list under that input or under the module's input: section instead.

    Add a when: block under drop_fields too when field trimming should apply only to specific events.

    drop_event removes matching events permanently, and drop_fields cannot remove @timestamp or type.

  4. Keep field-drop or rename processors at the end of the list when later processors still need the original event data.

    Elastic's current processor guidance recommends leaving field removal and renaming until the end so later processors do not lose required values.

  5. Test the Filebeat configuration before reloading the service. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK

    Related: How to test a Filebeat configuration

  6. Restart the Filebeat service to load the updated processor chain. 
    $ sudo systemctl restart filebeat

    Related: How to manage the Filebeat service with systemctl in Linux

  7. Confirm that the Filebeat unit returned to an active state. 
    $ sudo systemctl is-active filebeat
active

    Related: How to manage the Filebeat service with systemctl in Linux

  8. Review the recent Filebeat journal if the service does not stay active or expected events still appear downstream. 
    $ sudo journalctl -u filebeat.service --no-pager --lines=80

    Look for YAML parsing errors, missing fields in conditions, or unintended matches that are broader than expected.