Filebeat filter message for specific path

Hi , I am using filebeat-5.6.3
with the below filebeat config
i am able to

• drop the events which doesn't have "testing2" or "testing1" in the message field of path
  "/var/log/messages"
• drop the events which doesn't have "testing2" or "testing1" in the message field of path
  "/var/log/websphere/websphere.log".

I want to

• drop events which doesn't contain "testing2" only in message field of path "/var/log/messages"
• similarly drop events which doesn't contain "testing1" only in the message field of path
  "/var/log/websphere/websphere.log".

Please suggest how to achieve this.

filebeat:
  prospectors:
  - input_type: log
    paths:
    - "/var/log/messages"
    fields:
      type: syslog
    fields_under_root: true
  - input_type: log
    paths:
    - "/var/log/websphere/websphere.log"
    fields:
      type: syslog
    fields_under_root: true
processors:
- drop_event:
    when.not:
      or:
      - regexp:
          message: testing2
      - regexp:
          message: testing1

You can match the path of your log file using source: https://www.elastic.co/guide/en/beats/filebeat/6.1/exported-fields-log.html#_literal_source_literal

Let me know if the following works for you:

processors:
- drop_event:
   when:
      or:
      - and:
        - not.regexp.message: testing2
        - equals.source: /var/log/messages
      - and:
        - not.regexp.message: testing1
        - equals.source: /var/log/websphere/websphere.log

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.