Hello - what would the best way to "drop all message fields, except for x or y o z"?
I want to start by dropping the message field for all events, but then only include it on a few using a when.or condition?
can i do something like this?
- drop_fields:
fields:
message
- add_fields:
when:
or:
- equals:
winlog.event_id: 1
- equals:
winlog.event_id: 2
- equals:
winlog.event_id: 3
fields:
messageAny clues on how to drop all message fields by default, except when eventid = 1 or 2 or 3 etc?
processors:
- drop_fields:
fields: [message]
when.not.or:
- equals.winlog.event_id: 1
- equals.winlog.event_id: 2
- equals.winlog.event_id: 3
Give that a try. I didn't test it myself.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.