I have an IF statement like below: if "tobem" in [user][url] or "foocrypt" in [user][url] or "theautomatski" in [user][url]
I also imagine that this is going to get a bit larger as time goes on and I identify more users I want to exclude. Is it possible to shorten it down at all, something like below?
The field name is [user][url] and the values are tobem, foocrypt, and theautomatski, which makes it seem like your first suggestion wouldn't work. The second one does not work. I also tried if [ "tobem", "foocrypt", "theautomatski" ] in [user][url] and got an error, No implicit conversion of array into string.
Looks like the first one is what I wanted, it just reads weird to the novice (aka, me). Seems like it's saying if value user.url is in field tobem, foocrypt, or theautomatski but it appears I am wrong. Thanks for the help Badger.
EDIT: Nope, that doesn't work. Doesn't throw any errors but it also doesn't drop the events.
Line 15 into 16 is the user.url field containing tobem
{
"_index": "inteltwit-2018.04.01",
"_type": "doc",
"_id": "OwSJg2IBPqHGZa-TOcIb",
"_version": 1,
"_score": null,
"_source": {
"timestamp_ms": "1522625270961",
"links": [
"https://t.co/0qKvlh5S2U",
"https://t.co/Ov0ROPGcBk"
],
"text_original": "This book is about a cyberwar with China. This new type of war, sa https://t.co/0qKvlh5S2U #Cybersecurity #Bitcoin https://t.co/Ov0ROPGcBk",
"@timestamp": "2018-04-01T23:27:50.000Z",
"user": {
"url": "http://tobem.com/cyberwar",
"id_str": "3875339716",
"description": null,
"screen_name": "CyberToolsBooks",
"time_zone": null,
"name": "CyberWar Books"
},
"hashtags": [
"#cybersecurity",
"#bitcoin"
],
"mentioned": [],
"extended_entities": {},
"source": "<a href=\"http://www.ajaymatharu.com/\" rel=\"nofollow\">Tweet Old Post</a>",
"text": "This book is about a cyberwar with China. This new type of war, sa "
},
"fields": {
"timestamp_ms": [
"2018-04-01T23:27:50.961Z"
],
"@timestamp": [
"2018-04-01T23:27:50.000Z"
]
},
"highlight": {
"text_original": [
"This @kibana-highlighted-field@book@/kibana-highlighted-field@ is about a cyberwar with China. This new type of war, sa https://t.co/0qKvlh5S2U #Cybersecurity #Bitcoin https://t.co/Ov0ROPGcBk"
],
"text.stop_analyzed": [
"This @kibana-highlighted-field@book@/kibana-highlighted-field@ is about a cyberwar with China. This new type of war, sa"
],
"text": [
"This @kibana-highlighted-field@book@/kibana-highlighted-field@ is about a cyberwar with China. This new type of war, sa"
]
},
"sort": [
1522625270000
]
}
Testing if [field] in array is testing for string equality between the field and each of the members of the array. Thus "foo" in ["foo", "bar"] is true. However "foo" in ["foot", "hand"] is false.
If you want to drop events from a set of domains (and BTW, it would be helpful in general to provide a description of the problem you are trying to solve when you ask us to help with the solution ) then something like like my second suggestion is more appropriate.
if [user][url] =~ "(tobem|foocrypt|theautomatski)"
might do it. Or perhaps
if [user][url] =~ "\b(tobem|foocrypt|theautomatski)\b"
to avoid matching notfoocrypt.com. Personally I would parse the domain name out of the URL and then match against that to avoid possibly matching those strings against the URI.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.