Trying to setup condition in system.yml file for dropping some event when condition meet
what I want to do it
if this conditions meet drop the event.
( cond1 OR cond2 OR cond3 ) AND ( cond4 OR cond5 )
for example here I want to drop event
if (user=root OR user=nagios ) AND (process.name not like "^http*" OR process.name not like "^weblogic" )
in sort I want to drop process which start with http/weblogic and user is root or nagios
but how ever much different combination I try not working. spended hours on different kind of combination. What am I missing here?
processors: - drop_event: when: or: equals: user.name: root equals: user.name: nagios and: or: not: regexp: process.name: "^http*" not: regexp: process.name: "^weblogic*"