Drop filter for multiple names

pavuk · October 19, 2018, 5:54am

Hi,

Could you please help me with drop logstash filter?
I have field 'username' and I want to drop all records for specific usernames.
Please correct my filter if it is wrong:

if ["Pete", "John", "Bill", "Greg", "Paul McCartney"] in [username] {
  drop { }
  }

Thanks.

Jenni · October 19, 2018, 8:01am

Right now it's
"If the username contains this array ..."
That a) won't happen and b) isn't valid syntax in Logstash. (I think you can not define arrays directly in the conditions?)

Three possible solutions:

If you had a field containing that array, you could probably write if [username] in [namelist]
You could just concatenate all your conditions :if [username] == "Pete" or [username] == ...
You could use a regular expression: if [username] =~ /Pete|John|Bill|Greg|Paul McCartney/

pavuk · October 19, 2018, 8:32am

Thank you! It seems solution 2 is my choice!

system · November 16, 2018, 8:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.