Filter Json on specific key

Hello,

Am attempting to filter which lines of logs are being send to the backend. I have read up on the following documentation however i didn't find my answer.
https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html
https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html#exclude-lines

example json:
{
"timestamp": "2018-03-10T12:45:25.093419+0100",
"flow_id": 4.9497252168403e+14,
"in_iface": "lo",
"event_type": "alert",
"src_ip": "127.0.198.22",
"src_port": 80,
"dest_ip": "x.x.237.85",
"dest_port": 60618,
"html": "html data"
}
Now i would like to filter on if src_ip = 127.0.198.22. Now I could probably do this by filtering by line and entering the whole string("src_ip": "127.0.198.22",). But I was hoping to be able to parse the json and filter line['src_ip'] = 127.0.198.22 is this possible?

why?
Regex can be a performance killer.
Possible injection of data via the html field if it contains "src_ip": "127.0.198.22",
Bad practice

Hello @eddie4, I am not sure from your description if are you using JSON parsing on Filebeat?

If you were you use the following without a regexp?

processors:
 - drop_event:
     when:
        contains:
           src_ip: "127.0.198.22"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.