Drop filter for multiple names

pavuk · October 19, 2018, 5:54am

Hi,

Could you please help me with drop logstash filter?
I have field 'username' and I want to drop all records for specific usernames.
Please correct my filter if it is wrong:

if ["Pete", "John", "Bill", "Greg", "Paul McCartney"] in [username] {
  drop { }
  }

Thanks.

Jenni · October 19, 2018, 8:01am

Right now it's
"If the username contains this array ..."
That a) won't happen and b) isn't valid syntax in Logstash. (I think you can not define arrays directly in the conditions?)

Three possible solutions:

If you had a field containing that array, you could probably write if [username] in [namelist]
You could just concatenate all your conditions :if [username] == "Pete" or [username] == ...
You could use a regular expression: if [username] =~ /Pete|John|Bill|Greg|Paul McCartney/

pavuk · October 19, 2018, 8:32am

Thank you! It seems solution 2 is my choice!

system · November 16, 2018, 8:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Filter Conditional Usage Logstash	3	276	July 10, 2019
Logstash filter drop message with $ into string Logstash windows	10	859	September 17, 2020
Array for condition Logstash	3	660	January 17, 2019
Logstash is it possible to drop only field? Logstash	4	496	July 26, 2017
Best way to drop event based on the value(in an array) of a field Logstash	2	423	June 12, 2020

Drop filter for multiple names

Related topics