Filebeat drop_event has_fields condition

arianmotamedi · April 30, 2019, 7:22pm

I have defined two drop_event conditions to exclude a subset of logs from making it to elastic:

processors:
  - add_kubernetes_metadata:
      in_cluster: true
      namespace: ${POD_NAMESPACE}
  - drop_event:
      when:
        equals:
          kubernetes.container.name: "filebeat"
  - drop_event:
      when:
        not:
          has_fields: ["kubernetes.namespace"]

First condition works fine, but after adding the second drop_event item, I'm getting

ERROR processors/condition.go:450 Failed to initialize lookup condition: missing condition

I'm not sure why it says condition is missing. Can I not combine not and has_fields?

Debashis · May 2, 2019, 6:47am

@arianmotamedi Obviously you can combine "not" and "has_fields" . I have did below configuration and it is working fine. As you can see I have also used "not" and "has_fields" together.

  filebeat.inputs:
  - type: log
    enabled: true
    paths:
     - /var/log/sample.log
     - /var/log/sample1.log
     - /var/log/sample2.log
 
  processors:
    - include_fields:
        when:
          equals:
            source: /var/log/sample.log
        fields: ["tmp"]
    - drop_event:
        when:
          equals:
            source: /var/log/sample1.log
    - drop_event:
        when:
          not:
            has_fields: ["tmp"]

Kindly recheck your config file, It's looking ok what you have shared.

system · May 30, 2019, 6:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.