Drop_event filter

elasticforme · April 2, 2024, 8:42pm

I have following filter in system.yml file and working fine

dropping event if username is root or ntp or process has myjob.* pattern.

  processors:
     - drop_event:
         when:
           or:
           - equals:
               user.name: root
           - equals:
               user.name: ntp
           - regexp:
               process.name: "myjob.*"

I want to add one more condition

drop event
if user = root or ntp or regexp (process.name = myjob.* and not drop if regexp(process.name = sachin.*

I try following but not working. what am I missing?

  processors:
     - drop_event:
         when:
           or:
           - equals:
               user.name: root
           - equals:
               user.name: ntp
           - regexp:
               process.name: "myjob.*"
           not:
           - regexp:
              process.name: "sachin.*"

elasticforme · April 3, 2024, 1:48pm

I just used this but not getting anything

  processors:
     - drop_event:
         when:
           not:
             equal:
               process_fullname: "sachin-dev.service.31746"

elasticforme · April 3, 2024, 3:17pm

I remove all the processor and make sure I have that event. and yes I do

then use different condition. like
process.name =

but seems like I am not placing NOT at correct place

elasticforme · April 3, 2024, 6:00pm

please help if anyone has ever use this kind of expression.

elasticforme · April 3, 2024, 7:19pm

further more testing debugging still not getting what I want

two individual processors works

drops all event which has user.name = root

  processors:
     - drop_event:
         when:
           or:
           - equals:
               user.name: root

drop all event which has no process.name=sachin-gateway

  processors:
     - drop_event:
         when:
           not:
             equals:
               process.name: sachin-gateway

how do I combine them so all process with user.name=root drop except process.name=sachin-gateway

I try many different method none works.

this one drops all process with user.name=root

  processors:
     - drop_event:
         when:
           and:
             equals.user.name: root
             not.equals.process.name: sachin-gateway.pr

elasticforme · April 3, 2024, 7:56pm

alright this works


  processors:
    - drop_event.when.and:
        - equals.user.name: root
        - not.equals.process.name: sachin-gateway

but I want to add or condition with this to drop

user.name = zabbix or user.name = postfix or user.name=statd etc...

basically something like this

drop_event when:
( username=root and NOT process.name=sachin.gateway) or (username=nscd or username=postfix or username=xyz)

elasticforme · April 4, 2024, 3:22pm

Alright fixed it.

just incase if someone had same issue

  processors:
    - drop_event.when:
        and:
          - equals.user.name: root
          - not.equals.process.name: sachin-gateway
    - drop_event.when:
        or:
          - equals.user.name: postfix
          - equals.user.name: zabbix

In place of combining two condition wrote it out seperatly.

drop_event when
(user.name=root AND NOT process.name=sachin-gateway)
drop_event when
(user.name=postfix OR user.name=zabbix)

system · May 2, 2024, 5:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Condition in metricbeat Beats metricbeat	8	781	August 20, 2021
Winlogbeat and drop_event filter Beats winlogbeat	5	4946	May 9, 2017
Drop_event processor with not and or condition filters out all event Beats filebeat	4	41	July 16, 2024
Drop_event not working via process name or path Beats winlogbeat	3	471	March 29, 2022
Filebeat Processors drop_event Beats filebeat	3	1597	January 6, 2021

Drop_event filter

Related topics