Drop "final" flow events

rschirin · May 12, 2017, 3:47pm

Hi,
I'm trying to use a processor to drop events when "final" = false (I have flows enabled).

I've tried these processors:

but no one of them work. I'm not understanding how to filter on boolean value.

andrewkroh · May 12, 2017, 3:59pm

You can disable non-final flows by setting the period to -1 (or might be -1s).

rschirin · May 12, 2017, 4:33pm

wow... there is really to much to learn.
by the way, in the .yml template I found this comment:

Configure reporting period. If set to -1, only killed flows will be reported

which is really clear. but, can you explain to me, for example, what does it mean if I set

period: 10s

value?

andrewkroh · May 12, 2017, 6:44pm

When period is >0 then you will get non-final events that give a summary of the flow up to that point in time.

Topic		Replies	Views
Filebeat filtering, drop event processor script Beats filebeat	12	3759	March 2, 2022
Filebeat processors not dropping events Beats filebeat	3	359	March 19, 2021
"Drop_event" does not work Beats metricbeat	5	1277	November 29, 2017
Packetbear drop event doesnt work Beats packetbeat	2	535	November 22, 2018
Drop_event equals condition does not work on floats Beats	3	967	May 5, 2017