Help with logstash conditional filter

Hello, I'm trying to create a filter to drop events that don't have Lateral attack or Vulnerability exploit attack in the message field. but it is giving error, I would like to know what is wrong and what is the correct way.
here's the filter:

filter {
if 'Lateral attack' or 'Vulnerability exploit attack' not in [message] { mutate { drop { } } }

}

That gets parsed as the or of two conditions. The first being Lateral attack, which will evaluate to true, and the second being 'Vulnerability exploit attack' not in [message]. The or will always be true, so everything should be getting dropped.

Also drop {} is a filter by itself, not an option of the mutate filter (this will produce an error message).

Use a match to a regexp with alternation:

if [message] !~ /(Lateral attack|Vulnerability exploit attack)/ { drop { } }
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.