Filter WinEventLog Type by User.Name

The question is specific to but it also applies to any "multi-part" field like event_data.TargetUserName, etc which all have the same issue in my experience.

In the following config example, logs that match bob in the message field are matched and dropped but the filter will not match ann in the field and that log will not be dropped.

filter {
  if [type] == "wineventlog" {
    if [message] =~ 'bob' or
    [] =~ 'ann' {
     drop { }

Hopefully, I'm just missing something very simple here. Can anyone point me in the right direction?

You're using the wrong syntax for nested fields, see

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.