Hi everyone,
I wanted to limit the number of documents stored in Elasticsearch. So I configured a processor in my filebeat.yml at the top-level. My input is the apache2 module which is configured fine.
processors:
- drop_event:
when:
regexp:
apache2.access.url: '\/(tag|track)\?'
I want to drop events where the url looks like this
/tag?something=value.../track?something=value...
Here is a sample input:
172.31.29.163 - - [16/Nov/2018:13:56:17 +0000] "GET /tag?something=value HTTP/1.1" 200 724 "[referer]"[user-agent]"
Can someone point me to what exactly I'm doing wrong?
Thank you.