How to filter and drop events in Filebeat

Filtering noisy events at the Filebeat edge keeps Elasticsearch data streams smaller, reduces ingest overhead, and prevents repetitive health checks or debug chatter from crowding dashboards, searches, and alerts.

Filebeat reads each event, runs its processor list in order, and ships only the transformed result. The drop_event processor discards the entire event when its when condition matches, while drop_fields removes selected fields from events that still need to be indexed.

On Linux package installs, processor rules usually live in /etc/filebeat/filebeat.yml and take effect only after a successful config test and service restart. Current Elastic docs still require a when condition for drop_event, and drop_fields still cannot remove @timestamp or type, so filters should stay specific and field-drop or rename processors should be placed at the end of the list.

Steps to filter and drop events in Filebeat:

Create a backup of the current Filebeat configuration before editing processor rules.
```
$ sudo cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak
```
Restore the previous settings quickly by copying filebeat.yml.bak back over filebeat.yml if a later config test fails.
Open the Filebeat configuration file.
```
$ sudo nano /etc/filebeat/filebeat.yml
```
Add or update the relevant processors: list with explicit drop rules for the events that should never leave the agent.
```
processors:
  - drop_event:
      when:
        or:
          - equals:
              log.level: "debug"
          - regexp:
              message: '^GET /healthz\b'
  - drop_fields:
      fields:
        - "agent.ephemeral_id"
        - "log.offset"
      ignore_missing: true
```
Keep a single top-level processors: block when the rules should affect every input. To scope the same logic to one source only, place the list under that input or under the module's input: section instead.

Add a when: block under drop_fields too when field trimming should apply only to specific events.

drop_event removes matching events permanently, and drop_fields cannot remove @timestamp or type.
Keep field-drop or rename processors at the end of the list when later processors still need the original event data.

Elastic's current processor guidance recommends leaving field removal and renaming until the end so later processors do not lose required values.
Test the Filebeat configuration before reloading the service.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
Related: How to test a Filebeat configuration
Restart the Filebeat service to load the updated processor chain.
```
$ sudo systemctl restart filebeat
```
Related: How to manage the Filebeat service with systemctl in Linux
Confirm that the Filebeat unit returned to an active state.
```
$ sudo systemctl is-active filebeat
active
```
Related: How to manage the Filebeat service with systemctl in Linux
Review the recent Filebeat journal if the service does not stay active or expected events still appear downstream.
```
$ sudo journalctl -u filebeat.service --no-pager --lines=80
```
Look for YAML parsing errors, missing fields in conditions, or unintended matches that are broader than expected.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.