Event Filter * field

Hi all ,
The purpose is refuse receive some logs.
(Endpoint) there are a lot of event on everyday , don't want to receive not meaningful logs to occupied the space , how could filter all value of * or filter the field?

It's not work

Hi there!

If you would like to not receive alerts if a field is present, you can use the exists operator. If you would like to use wildcard matching, you can use the matches operator. I would suggest checking out the docs here that give a bit more detail on the operators.

If there are a list of values - say you only want to get alerted for some known ids or only get alerted if it is not one of those ids - you can also check out large value lists. You can upload a list of values and then create an exception using the is in list/is not in list operator. Docs for large value lists can be found here.

Hopefully that helps! Let us know if you need any further clarification or help on anything!

1 Like

Hi yctercero,

In event filter, there are only "is" "is not" "is one of" "is not one of" , no match or is in list/is not in list options.

Hi Nathan,

Thank you for clarifying that it is for the Event filters
In that case, the available operators are

  • is
  • is not
  • is one of
  • is not one of
  • matches => This is only available for the file.path.text field.

If you would like to filter using wildcards, you can use the file.path.text field. and if you would like to learn more about the Event filters please refer to this docs.

Please let us know if this is helpful, or if you need any further assist!

Simple to say, for some index, that a lot of useless field like agent_id don't want to collect, but in event filter cannot only filtering the field like agent_id with wildcards (*) .

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.