Filebeat Processors drop_event

erezhazan1 · December 7, 2020, 1:21pm

Hey all!
I need your help with the following,
I'm trying to get this condition to work:

If not (message: '^.dstintf="aaaa".' OR message: '^.dstintf="bbb".')
AND NOT (message: '^.action="ccc".' AND message: '^.action="dddd".' AND message: '^.action="eeee".')

For some reason, I'm having a hard time getting the right way.
I tried doing something like this:

- if:
    equals:
      type: "xxxxx"
  then:
    - drop_event:
        when:
          not:
            or:
            - regexp:
                  message: '^.*dstintf=\"aaaa\".*'
            - regexp:
                  message: '^.*dstintf=\"bbbb\".*'
            - and:
                - regexp:
                     message: '^.*action=\"cccc\".*'
                - regexp:
                     message: '^.*action=\"dddd\".*'
                - regexp:
                     message: '^.*action=\"eeee\".*'
                - regexp:
                     message: '^.*action=\"ffff\".*'

jsoriano · December 8, 2020, 6:52pm

Hey @erezhazan1, welcome to discuss

Is this what you are trying to do?

    - drop_event:
        when:
          and:
          - not:
              or:
              - regexp:
                  message: '^.*dstintf=\"aaaa\".*'
              - regexp:
                  message: '^.*dstintf=\"bbbb\".*'    
          - not:
              and:
                - regexp:
                     message: '^.*action=\"cccc\".*'
                - regexp:
                     message: '^.*action=\"dddd\".*'
                - regexp:
                     message: '^.*action=\"eeee\".*'
                - regexp:
                     message: '^.*action=\"ffff\".*'

Take into account that "if not (A) and not (B)" needs to be implemented like this:

    - drop_event:
        when:
          and:
          - not:
              (A)
          - not:
              (B)

erezhazan1 · December 9, 2020, 12:50pm

Hey!
Thanks for your replay.
I manged to get it to work, and what I was looking for what eventually this:

  then:
    - drop_event:
        when:
          or:
          - not:
              or:
              - regexp:
                  message: '^.*dstintf=\"aaaa\".*'
              - regexp:
                  message: '^.*dstintf=\"bbbb\".*'
          - regexp:
              message: '^.*action=\"cccc\".*'
          - regexp:
              message: '^.*action=\"ddddd\".*'
          - regexp:
              message: '^.*action=\"eeeee\".*'
          - regexp:
              message: '^.*action=\"fffff\".*'

I probably didn't expain myself right but your config got me into the right direction.
Thanks again!

system · January 6, 2021, 2:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.