I wanted to limit the number of documents stored in Elasticsearch. So I configured a processor in my filebeat.yml at the top-level. My input is the apache2 module which is configured fine.
processors: - drop_event: when: regexp: apache2.access.url: '\/(tag|track)\?'
I want to drop events where the url looks like this
Here is a sample input:
172.31.29.163 - - [16/Nov/2018:13:56:17 +0000] "GET /tag?something=value HTTP/1.1" 200 724 "[referer]"[user-agent]"
Can someone point me to what exactly I'm doing wrong?