Filter when field is missing

grants · January 23, 2018, 5:14pm

I need to be able to build a drop rule when a filed is missing from the event, I'm not currently able to filter and do not see any conditions that would help with this. Example:

processors:
- drop_event.when:
    and:
      - equals.event_id: 800
      - or:
         ## Common
          - equals.event_data.param1: "    Microsoft.PowerShell.Core\\Set-StrictMode -Off"
         ## no command / param1 missing
          - equals.event_data.param1: ""

I know this can be dropped at Logstash, but I don't even want to send events to Logstash if "param1" is not present in the 800 events.

Can anyone help with some winlogbeat filtering config that could accomplish this task? I think i can do this with a not matches regex with ".*" but this seems like it would be a performance hit.

tudor · January 23, 2018, 8:45pm

We don't have an exists conditional, but I think it would make sense to provide one. If you can open an enhancement ticket, we can probably add it for a future version.

In the meantime, if you can get the regexp version to work, I think there shouldn't be a huge performance hit since the regexp won't actually get to run.

grants · February 1, 2018, 3:55pm

Where would I open this request or are you talking about a issue on the git page?

tudor · February 1, 2018, 5:17pm

Please open a ticket here: https://github.com/elastic/beats/issues

system · March 1, 2018, 5:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Drop events if a field does not exist Beats filebeat	2	2206	January 8, 2018
Unable to drop events Beats winlogbeat	6	1030	June 28, 2018
Filebeat drop_event Beats filebeat	2	4017	July 5, 2017
Processor [drop_event] not dropping events Beats winlogbeat	9	9314	February 16, 2017
Drop event if condition Logstash	7	3170	February 14, 2020

Filter when field is missing

Related topics