Filter help

I've added the following filter to only capture Windows event types "WARNING" AND "ERROR":

if [type] == "eventlog" and "INFO" in [EventType] {
drop {
}
}

Now, I'd like to exclude some hosts from this filter so that event types "INFO", "WARNING" AND "ERROR" are reported for them. I tried adding a regex, as follows:

if [Hostname !~ /^myhost? and [type] == "eventlog" and "INFO" in [EventType] or "INFO" in [Severity] {
drop {
}
}

This doesn't work. The host "WARNING" and "ERROR" event types are still reported, but not "INFO" types. How do I achieve what I'm trying to?

Thanks.

So the intended conditional becomes "drop the event unless it's is a warning or error unless the hostname is myhost"?

if [EventType] not in ["WARNING", "ERROR] and [Hostname] not in ["myhost1", "myhost", ...] {
  drop { }
}

Or, if you prefer, the following conditional is equivalent:

if !([EventType] in ["WARNING", "ERROR] or [Hostname] in ["myhost1", "myhost", ...]) {
  drop { }
}

Hi, and greetings, Magnus.

Yes, I'm after "drop the event unless it's is a warning or error unless the hostname is myhost". I'll try these. I really appreciate your help!

Diggy

Magnus,

I just wanted to report back that this filter seems to be working:

if !([EventType] in ["WARNING", "ERROR] or [Hostname] in ["myhost1", "myhost", ...]) {
drop { }
}

but this one doesn't:

if [EventType] not in ["WARNING", "ERROR] and [Hostname] not in ["myhost1", "myhost", ...] {
drop { }
}

Diggy