I'm trying to drop certain fields using filebeat's drop_fields processor, so that they will not be indexed to my Elasticsearch. I'm using version 8.8.0 for both filebeat and elasticsearch.
Most of the fields specified in the drop_fields array are dropped, but a few are not, e.g. source.geo.city_name, destination.geo.location.lon, and network.direction. Except for network.direction, all the field names that were dropped only have one period in them, e.g. abc.def.
A portion of the relevant configuration in filebeat.yml is
processors:
- drop_fields:
fields: ["destination.bytes", "destination.geo.location.lon", "ecs.version", "source.bytes", "source.geo.city_name", "network.direction", "source.packets"]
Why are some of these fields not dropped?