Filter help

Diggy · July 11, 2016, 9:38pm

I've added the following filter to only capture Windows event types "WARNING" AND "ERROR":

if [type] == "eventlog" and "INFO" in [EventType] {
drop {
}
}

Now, I'd like to exclude some hosts from this filter so that event types "INFO", "WARNING" AND "ERROR" are reported for them. I tried adding a regex, as follows:

if [Hostname !~ /^myhost? and [type] == "eventlog" and "INFO" in [EventType] or "INFO" in [Severity] {
drop {
}
}

This doesn't work. The host "WARNING" and "ERROR" event types are still reported, but not "INFO" types. How do I achieve what I'm trying to?

Thanks.

magnusbaeck · July 12, 2016, 5:55am

So the intended conditional becomes "drop the event unless it's is a warning or error unless the hostname is myhost"?

if [EventType] not in ["WARNING", "ERROR] and [Hostname] not in ["myhost1", "myhost", ...] {
  drop { }
}

Or, if you prefer, the following conditional is equivalent:

if !([EventType] in ["WARNING", "ERROR] or [Hostname] in ["myhost1", "myhost", ...]) {
  drop { }
}

Diggy · July 12, 2016, 1:50pm

Hi, and greetings, Magnus.

Yes, I'm after "drop the event unless it's is a warning or error unless the hostname is myhost". I'll try these. I really appreciate your help!

Diggy

Diggy · July 12, 2016, 6:40pm

Magnus,

I just wanted to report back that this filter seems to be working:

if !([EventType] in ["WARNING", "ERROR] or [Hostname] in ["myhost1", "myhost", ...]) {
drop { }
}

but this one doesn't:

if [EventType] not in ["WARNING", "ERROR] and [Hostname] not in ["myhost1", "myhost", ...] {
drop { }
}

Diggy

Topic		Replies	Views
Logstash Filter for Specific Winlogs Value Logstash	4	413	November 21, 2019
Logstash Filter Conditional Usage Logstash	3	276	July 10, 2019
How to filter events based on certain string? Logstash	9	11767	May 7, 2018
Dropping multiple windows events in logstash Logstash	6	522	December 6, 2018
IF Statement being ignored Logstash	3	333	September 27, 2018

Filter help

Related Topics