Hi!
I use IIS module for collect IIS logs.
I want drop events if field url.path contains "layouts".
Where in the config should I use the processors block with drop_events? In filebeat.yml or iis.yml?
Can you show me example? Thank you advance
So u could do this on the filebeat side in the iis.yml but since the log message isn't parsed until it gets to Elasticsearch you'll have to do regex match on the entire message. The other option is to modify the existing Elasticsearch ingest pipeline to drop the event once the url.path field is populated and can do a simpler match.
Another approach is, you can add a index.final_pipeline to the index settings / template that way you don't have to modify the existing pipeline and then that'll get run at the end.
That pipeline can drop the events you want.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.