Drop event for Apache Module

ajesh · November 10, 2020, 1:09pm

Hi Team,

I am trying drop a specific event from filebeat apache module , i have tried below drop event processor and its not working.
Event to be dropped if the url.original field contains refresh as the text

url.original: /ey/refresh.defaults.notifynewmessages.do?XY=1605013288470

In the above field , only this content refresh.defaults.notifynewmessages is static and all other contents are dynamic

I have updated filebeat.yml file to drop the event as below.

  - drop_event:
      when:
        or:
         - contains:
            message: "HealthCheck"   - This is working fine and event is getting dropped 
         - contains:
            url.original: "refresh"   - This is not working.

Do i need to update this in the ingest pipeline if so how i can do that. Please help.

Thanks,
Ajesh

Kaiyan_Sheng · November 10, 2020, 11:28pm

Hi! Does the output event from filebeat includes url.original with "refresh"? If you just simplify this processor to only drop event when url.original contains "refresh", does that work?

ajesh · November 12, 2020, 1:03pm

Hello Kaiyan,

Yes, this is one of the field which we get when we enable the apache module for filebeat.

url.original: /ey/refresh.defaults.notifynewmessages.do?XY=1605013288470

As you suggested i will try to keep to only this drop event and check if its working

Thanks,
Ajesh

system · December 10, 2020, 3:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.