So I wrote a filter to drop any event that has a certain field with a value of null:
filter {
if[type] == "flow" and [packet_source][ip] == "" {
drop { }
}
}
However, this does not work. Does anyone have any idea why? The names of the parameters are correct
Logstash version 5.2
Please provide the logstash configs and a sample line of data.
Here is what my output looks like, and sometimes the "packet_source.ip" is empty, so I want to drop those packets.
As for my configs, I have the default ones, one set up for input from packetbeat, and that filter in my original post.
Try the following:
filter {
if[type] == "flow" and !([packet_source][ip]) {
drop { }
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.