Keep fields from eventsedit

The include_fields processor specifies which fields to export if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always exported. The @timestamp, @metadata and type fields are always exported, even if they are not defined in the include_fields list.

processors:
  - include_fields:
      when:
        condition
      fields: ["field1", "field2", ...]

See Conditions for a list of supported conditions.

You can specify multiple include_fields processors under the processors section.

If you define an empty list of fields under include_fields, then only the required fields, @timestamp and type, are exported.