Hello,
Am attempting to filter which lines of logs are being send to the backend. I have read up on the following documentation however i didn't find my answer.
https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html
https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html#exclude-lines
example json:
{
"timestamp": "2018-03-10T12:45:25.093419+0100",
"flow_id": 4.9497252168403e+14,
"in_iface": "lo",
"event_type": "alert",
"src_ip": "127.0.198.22",
"src_port": 80,
"dest_ip": "x.x.237.85",
"dest_port": 60618,
"html": "html data"
}
Now i would like to filter on if src_ip = 127.0.198.22. Now I could probably do this by filtering by line and entering the whole string("src_ip": "127.0.198.22",). But I was hoping to be able to parse the json and filter line['src_ip'] = 127.0.198.22 is this possible?
why?
Regex can be a performance killer.
Possible injection of data via the html field if it contains "src_ip": "127.0.198.22",
Bad practice