Filter Json on specific key

eddie4 · March 30, 2018, 11:14am

Hello,

Am attempting to filter which lines of logs are being send to the backend. I have read up on the following documentation however i didn't find my answer.
https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html
https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html#exclude-lines

example json:
{
"timestamp": "2018-03-10T12:45:25.093419+0100",
"flow_id": 4.9497252168403e+14,
"in_iface": "lo",
"event_type": "alert",
"src_ip": "127.0.198.22",
"src_port": 80,
"dest_ip": "x.x.237.85",
"dest_port": 60618,
"html": "html data"
}
Now i would like to filter on if src_ip = 127.0.198.22. Now I could probably do this by filtering by line and entering the whole string("src_ip": "127.0.198.22",). But I was hoping to be able to parse the json and filter line['src_ip'] = 127.0.198.22 is this possible?

why?
Regex can be a performance killer.
Possible injection of data via the html field if it contains "src_ip": "127.0.198.22",
Bad practice

pierhugues · March 30, 2018, 12:41pm

Hello @eddie4, I am not sure from your description if are you using JSON parsing on Filebeat?

If you were you use the following without a regexp?

processors:
 - drop_event:
     when:
        contains:
           src_ip: "127.0.198.22"

system · April 27, 2018, 12:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to use drop_event to filter json Beats filebeat	5	1356	February 16, 2017
About Beats Input Logstash	6	253	May 18, 2023
Nested JSON parsing issues Beats filebeat	9	1603	February 28, 2020
JSON Logs Parsed with JSON codec but not JSON filter Logstash	3	1045	February 15, 2018
Filebeat not filtering data according to fields in decode_json_fields Beats filebeat	1	335	February 15, 2019

Filter Json on specific key

Related topics