Hi There ,
Iam trying to drop multiple events in logstash , how to implement it
As of now i use two different filters , but I want it in one filter
filter {
if "windows_ad" in [tags] {
if [event_id] == 5157 {
drop { }
}
}
}
I tried this it doesnt work
filter {
if "windows_ad" in [tags] {
if [event_id] == ["5157", "5158"] {
drop { }
}
}
}
Could any one help me to execute it
Hello ,
if [event_id] in ['5157', '5158']
No I Have tried that as well ,it doesnt work
Can you try this
if [5157 ] or [5158]
You mean like this
filter {
if "windows_ad" in [tags] {
if [5157 ] or [5158] in [event_id]
{
drop { }
}
}
}
and i tried with quotes as well like this
if " [5157 ] or [5158] " in [event_id]
it doesnt work
the type of [event_id] is text ?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.