(feat): Adds mutate:remove filter to remove fields.

TimberWinR/Filters/MutateFilter.cs

@@ -19,6 +19,7 @@ namespace TimberWinR.Parser
                         new JProperty("condition", Condition),
                         new JProperty("splits", Split),
                         new JProperty("type", Type),
+                        new JProperty("remove", Remove),
                         new JProperty("rename", Rename),
                         new JProperty("replace", Replace)                       
                         )));
@@ -42,11 +43,24 @@ namespace TimberWinR.Parser
              }
 
              ApplySplits(json);
+             ApplyRemoves(json);
              ApplyRenames(json);
              ApplyReplace(json);
              return true;
          }
 
+         private void ApplyRemoves(JObject json)
+         {
+             if (Remove != null && Remove.Length > 0)
+             {
+                 for (int i = 0; i < Remove.Length; i += 1)
+                 {
+                     string name = ExpandField(Remove[i], json);
+                     RemoveProperty(json, name);
+                 }
+             }
+         }
+
          private void ApplyRenames(JObject json)
          {
              if (Rename != null && Rename.Length > 0)

TimberWinR/Parser.cs

@@ -27,6 +27,15 @@ namespace TimberWinR.Parser
     {
         public abstract bool Apply(JObject json);
 
+        protected void RemoveProperty(JObject json, string name)
+        {
+            JToken token = json[name];
+            if (token != null)
+            {
+                json.Remove(name);
+            }
+        }
+
         protected void RenameProperty(JObject json, string oldName, string newName)
         {
             JToken token = json[oldName];
@@ -633,6 +642,9 @@ namespace TimberWinR.Parser
         [JsonProperty("condition")]
         public string Condition { get; set; }
 
+        [JsonProperty("remove")]
+        public string[] Remove { get; set; }
+
         [JsonProperty("rename")]
         public string[] Rename { get; set; }
 

TimberWinR/mdocs/MutateFilter.md

@@ -8,6 +8,7 @@ The following operations are allowed when mutating a field.
 | Operation   |     Type        | Description                                                            
 | :-----------|:----------------|:-----------------------------------------------------------------------|
 | *condition* | property:string |C# Expression
+| *remove*    | property:array  |Remove one or more fields                                       
 | *rename*    | property:array  |Rename one or more fields                                       
 | *replace*   | property:array  |Replace a field with a new value.  The new value can include %{foo} strings to help you build a new value from other parts of the event.                                   
 | *split*     | property:array  |Separator between values of the "Strings" field.   
@@ -30,6 +31,19 @@ then the operation(s) will be executed in order.
 ```
 The above example will rename ComputerName to Host only for Win32-EventLog types.
 
+### remove ["name", ...]
+Removes field.
+```json
+  "Filters": [     
+    {
+		"mutate": {      			
+			"remove": [
+				"ComputerName", "Username"
+			]
+		}                
+    }     
+  ]
+```
 ### rename ["oldname", "newname", ...]
 The fields must be in pairs with oldname first and newname second.
 ```json