Hi All,
Iam monitoring the windows events using Beats , but i could find lot of events generated every second and its kind of overloaded
I want to drop this event id
event_id : 5,516
Eventid is the field name and 5,516 is the value
How to drop this documents completely wherever it have this eventid value, before it sends to elasticsearch.
Please help me in fixing this issue
Thanks,
Raj
Hi,
You can use the drop filter (with the appropriate condition as per the example), so events are discarded.
Thanks for the reply, actually I know the drop filter ,
could please tell me the exact filter condition ?
to remove all the document which has
event_id : 5,516
Thanks,
Raj
filter {
if [event_id] == "5,516" {
drop { }
}
}Thanks Paris 
for the rocket reply, i will get back to you after implementing it
Hi Paris,
I tried this but am unsuccessful in dropping that event id, its still getting created
input {
beats {
port => 5044
}
}
filter {
if [event_id] == "5,516" {
drop { }
}
}
output {
elasticsearch {
hosts => "localhost:9200"
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
Don't include the thousands separator in the condition. Also, make sure you check the data type of the event_id field. Is it an integer or a string? Look at the raw JSON document, available from the JSON tab in Kibana.
Sure
Thanks for the input magnus, after removing the thousand separator it work fine
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.