Dear,
I am sending the logs from my file server with winlogbeat.
I just send the log with event 4663, to track file deletion, however, the Kibana view shows several temporary file events (* .tmp). Is it possible to do this filter in the Logstash input or some display filter in Kibana?
You can probably do it either way, but the exact implementation depends on what an example event looks like. Copy an example event from Kibana's JSON tab.
Please don't post screenshots when regular copy/paste of the text works just as well (or better). It's also easier to obfuscate private data that way.
Okay, good, the filename is already in a discrete field. Just use a drop filter wrapped in a conditional that inspects the contents of the [event_data][ObjectName] field. See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals and the many examples that have been posted in the past.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
