Hello, I'm trying to create a filter to drop events that don't have Lateral attack or Vulnerability exploit attack in the message field. but it is giving error, I would like to know what is wrong and what is the correct way.
here's the filter:
filter {
if 'Lateral attack' or 'Vulnerability exploit attack' not in [message] { mutate { drop { } } }
}
That gets parsed as the or of two conditions. The first being Lateral attack, which will evaluate to true, and the second being 'Vulnerability exploit attack' not in [message]. The or will always be true, so everything should be getting dropped.
Also drop {} is a filter by itself, not an option of the mutate filter (this will produce an error message).
Use a match to a regexp with alternation:
if [message] !~ /(Lateral attack|Vulnerability exploit attack)/ { drop { } }
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.