Filebeat drop_event has_fields condition

arianmotamedi · April 30, 2019, 7:22pm

I have defined two drop_event conditions to exclude a subset of logs from making it to elastic:

processors:
  - add_kubernetes_metadata:
      in_cluster: true
      namespace: ${POD_NAMESPACE}
  - drop_event:
      when:
        equals:
          kubernetes.container.name: "filebeat"
  - drop_event:
      when:
        not:
          has_fields: ["kubernetes.namespace"]

First condition works fine, but after adding the second drop_event item, I'm getting

ERROR processors/condition.go:450 Failed to initialize lookup condition: missing condition

I'm not sure why it says condition is missing. Can I not combine not and has_fields?

Debashis · May 2, 2019, 6:47am

@arianmotamedi Obviously you can combine "not" and "has_fields" . I have did below configuration and it is working fine. As you can see I have also used "not" and "has_fields" together.

  filebeat.inputs:
  - type: log
    enabled: true
    paths:
     - /var/log/sample.log
     - /var/log/sample1.log
     - /var/log/sample2.log
 
  processors:
    - include_fields:
        when:
          equals:
            source: /var/log/sample.log
        fields: ["tmp"]
    - drop_event:
        when:
          equals:
            source: /var/log/sample1.log
    - drop_event:
        when:
          not:
            has_fields: ["tmp"]

Kindly recheck your config file, It's looking ok what you have shared.

Topic		Replies	Views
Drop event with multi layer conditions not working Beats filebeat	3	2852	May 2, 2018
Drop events if a field does not exist Beats filebeat	2	2235	January 8, 2018
Drop_event processor with not and or condition filters out all event Beats filebeat	4	227	July 16, 2024
Filebeat Processors drop_event Beats filebeat	3	1806	January 6, 2021
Cann't use custom fields as a condition to drop fields Beats filebeat	3	997	August 22, 2017

Filebeat drop_event has_fields condition

Related topics