Drop event with multi layer conditions not working

Elastic Stack Beats
1

I have following drop event configuration:

- drop_event:
    when:
        or:
          - equals:
              kubernetes.namespace: "monitoring"
          - equals:
              kubernetes.namespace: "kube-public"
          - equals:
              kubernetes.namespace: "abc-system"
          - equals:
              kubernetes.namespace: "default"
          - equals: 
              and:
                - equals:
                    kubernetes.namespace: "kube-system"
                - not:
                    equals:
                      kubernetes.container.name: "nginx-ingress"

It is not working for last condition where I want to drop event when kube namespace is kube-system and kube contianer name is not equal to ngnix-ingress.
Is filebeat can not handle recursive conditions?

2

As the documentation suggests equals does not accept conditions, only strings or ints: https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-equals

Use and instead of equals. This basically does the same as you intended but provides correct parameters to every condition.

- drop_event:
    when:
        or:
          - equals:
              kubernetes.namespace: "monitoring"
          - equals:
              kubernetes.namespace: "kube-public"
          - equals:
              kubernetes.namespace: "abc-system"
          - equals:
              kubernetes.namespace: "default"
          - and: 
              - equals:
                  kubernetes.namespace: "kube-system"
              - not:
                  equals:
                    kubernetes.container.name: "nginx-ingress"
3

I tried with your solution it is giving me this error :
ERR Error creating prospector: each processor needs to have exactly one action, but found 2 actions

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.