Elastic-agent cloudflare logpull and problem with using processors for filter events

Hi Everyone
I have a problem with elastic-agent( ver 7.17.4) that we are using to collect logs from cloudflare.
I want to drop some events by using processors in "Edit Cloudflare integration" - but nothing is work. In "Cloudflare integration" i see that " Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. May be i used wrong fields . Please help if you know.
Here is some examples that i used to drop events:

1. I want to drop all events that has not field cloudflare.firewall.actions

processors:

• drop_event:
  when:
  not:
  has_fields: ['cloudflare.firewall.actions']

2. I want to drop all events when cloudflare.edge.pathing.src: "test"
   processors:

• drop_event:
  when:
  equals:
  cloudflare.edge.pathing.src: "test"

For now nothing is work

I turn on Preserve original event to see original event from Cloudflare.
After that we see that cloudflare.edge.pathing.src = EdgePathingSrc
Answer:

processors:

• drop_event:
  when:
  regexp:
  message: ""EdgePathingSrc":"test""

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.