I cannot for the life of me figure out why the following is not working:
This is using the elastic Filebeat 6.5.2 docker container:
filebeat.inputs:
- type: docker
containers.ids: '*'
combine_partial: true
processors:
- drop_event:
when:
equals:
docker.container.name: "filebeat"
I literally want to not log anything related to the filebeat container. I've tried many combinations of getting an OR to work, using a regexp etc. but maybe someone can spot what I'm doing wrong with this simple example?
I expect the above to drop all log messages from the "filebeat" container.