Hi there,
I'm looking to drop all successful events collected with Auditbeat:
At the end of my yaml file I've put this:
processors:
- drop_event:
when:
auditd.result: "success"
But in Kibana I still can see results auditd.result with the value success.
Any ideas?
Thanks
ok got it,
My syntax was OK but the indentation was bad.......
Now it works.
@elastic_bees Thanks for updating this, the YAML syntax is somewhat error-prone, but we want to make the validations better in upcoming version.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.