Field value filter

shaharz · August 3, 2017, 11:27am

Hello,

i would like to know how can i do a field value filter? for example to do drop event by field value or length of a value, and how can i do a where in filter, for example. "field value" not in [1,2,3] etc.

thanks.

josephjohney · August 3, 2017, 11:33am

You could define the Grok pattern with conditional fields.

IF the pattern matches x - set the value to the a 'xstring'
else you could set value to 'anotherstring'

Example
%{patternforx:xstring}| %{WORD:ystring}

magnusbaeck · August 3, 2017, 11:39am

Have you read the documentation about conditionals?

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals

shaharz · August 4, 2017, 2:04pm

thank you

shaharz · August 4, 2017, 2:05pm

now yes :). thanks !

shaharz · August 4, 2017, 2:19pm

tell me, didnt see how i can get the length of a field value?

magnusbaeck · August 4, 2017, 2:20pm

I think you need to use a ruby filter to check the field value length.

system · September 1, 2017, 2:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.