How can I check event.field value from a file?

Ishaan · March 15, 2021, 4:52pm

How can I check if the event.field_name value is present in the file? If yes, drop the event otherwise send the event to elasticsearch.

Note: The field_name could have multiple values in that file, and I want to check if the field_name value is present among the multiple values in that file.

aaron-nimocks · March 15, 2021, 7:42pm

You can add a conditional statement in your filter and then drop the event if it matches.

Something like the below.

    filter {
      if [event.field_name] == "value" {
        drop { }
      }
    }

Ishaan · March 15, 2021, 8:47pm

Can we compare with the value present in a file (local storage)?

aaron-nimocks · March 15, 2021, 8:57pm

Yes. If you know all the options for the name you can do something like

    filter {
      if [fieldname] or [fieldname2] or [anotherway] or [afourth] {
        drop { }
      }
    }

Badger · March 16, 2021, 1:27am

Your question is not entirely clear, but if you are asking what I think you are asking you might be able to do it with a translate filter, otherwise you could do it in ruby, use the init option to load the file, build an array of entries, then test array membership in the code option and call event.cancel if you want to drop the event.

system · April 13, 2021, 1:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.