Decode_json_fields and when.not, not working as expected

Kody_Peterson · December 18, 2018, 3:18pm

I have the following simple when.not I am using for testing:

    processors:
      - decode_json_fields:
          when.not:
            or:
              - equals.input.type: "docker"
          fields: ["log"]
          target: "log_json"
          process_array: true
          max_depth: 20

Although, I am still seeing events that have and input.type equal to "docker" being processed. Is this syntax correct? I am using an or here as a test as I will have more than one not condition once I get this simple one working.

Thanks!

Kody_Peterson · December 19, 2018, 3:16pm

@andrewkroh Do you maybe have some insights on this?

system · January 16, 2019, 3:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Condition with decode_json_fields processor Beats filebeat	10	11684	February 13, 2018
Filebeat processors decode_json_fields with condition not working Beats filebeat	1	451	March 4, 2020
Correct formatting for using OR and WHEN condition in a processor Beats filebeat	2	457	July 4, 2019
Filebeat processor help Beats filebeat	2	372	November 16, 2020
Filter out events by JSON content Beats filebeat	4	510	May 28, 2019

Decode_json_fields and when.not, not working as expected

Related topics