hello, I'm trying to perform a filter with some conditions, but when performing as follows, it doesn't work.
if "dns_server_process_query_send" or "Not authoritative" in [message] { drop {} }
but if I use the following way it works normally:
if "dns_server_process_query_send" in [message] { drop {} }
if "Not authoritative" in [message] { drop {} }
why can't I put the two conditions inside the same IF? am i doing something wrong?
You can. One of your conditions is "Not authoritative" in [message], and the other one is "dns_server_process_query_send" (which will always evaluate to true). You have to use
if "dns_server_process_query_send" in [message] or "Not authoritative" in [message] { drop {} }
really, that's the correct way, thank you very much @Badger !
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.