Filebeat Processors drop_event

erezhazan1 · December 7, 2020, 1:21pm

Hey all!
I need your help with the following,
I'm trying to get this condition to work:

If not (message: '^.dstintf="aaaa".' OR message: '^.dstintf="bbb".')
AND NOT (message: '^.action="ccc".' AND message: '^.action="dddd".' AND message: '^.action="eeee".')

For some reason, I'm having a hard time getting the right way.
I tried doing something like this:

- if:
    equals:
      type: "xxxxx"
  then:
    - drop_event:
        when:
          not:
            or:
            - regexp:
                  message: '^.*dstintf=\"aaaa\".*'
            - regexp:
                  message: '^.*dstintf=\"bbbb\".*'
            - and:
                - regexp:
                     message: '^.*action=\"cccc\".*'
                - regexp:
                     message: '^.*action=\"dddd\".*'
                - regexp:
                     message: '^.*action=\"eeee\".*'
                - regexp:
                     message: '^.*action=\"ffff\".*'

jsoriano · December 8, 2020, 6:52pm

Hey @erezhazan1, welcome to discuss

Is this what you are trying to do?

    - drop_event:
        when:
          and:
          - not:
              or:
              - regexp:
                  message: '^.*dstintf=\"aaaa\".*'
              - regexp:
                  message: '^.*dstintf=\"bbbb\".*'    
          - not:
              and:
                - regexp:
                     message: '^.*action=\"cccc\".*'
                - regexp:
                     message: '^.*action=\"dddd\".*'
                - regexp:
                     message: '^.*action=\"eeee\".*'
                - regexp:
                     message: '^.*action=\"ffff\".*'

Take into account that "if not (A) and not (B)" needs to be implemented like this:

    - drop_event:
        when:
          and:
          - not:
              (A)
          - not:
              (B)

erezhazan1 · December 9, 2020, 12:50pm

Hey!
Thanks for your replay.
I manged to get it to work, and what I was looking for what eventually this:

  then:
    - drop_event:
        when:
          or:
          - not:
              or:
              - regexp:
                  message: '^.*dstintf=\"aaaa\".*'
              - regexp:
                  message: '^.*dstintf=\"bbbb\".*'
          - regexp:
              message: '^.*action=\"cccc\".*'
          - regexp:
              message: '^.*action=\"ddddd\".*'
          - regexp:
              message: '^.*action=\"eeeee\".*'
          - regexp:
              message: '^.*action=\"fffff\".*'

I probably didn't expain myself right but your config got me into the right direction.
Thanks again!

system · January 6, 2021, 2:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Drop_event processor with not and or condition filters out all event Beats filebeat	4	38	July 16, 2024
Exclude messages with Strings Beats filebeat	3	895	January 11, 2018
Filebeat filtering, drop event processor script Beats filebeat	12	3129	March 2, 2022
Winlogbeat - drop_event (multiple event ID's with specific rules) Beats winlogbeat	6	1163	November 18, 2020
Filebeat Filtering - Drop Event when NOT contain field that equals a value Beats docker , filebeat	9	7391	July 3, 2021

Filebeat Processors drop_event

Related Topics