How can I check event.field value from a file?

Ishaan · March 15, 2021, 4:52pm

How can I check if the event.field_name value is present in the file? If yes, drop the event otherwise send the event to elasticsearch.

Note: The field_name could have multiple values in that file, and I want to check if the field_name value is present among the multiple values in that file.

aaron-nimocks · March 15, 2021, 7:42pm

You can add a conditional statement in your filter and then drop the event if it matches.

Something like the below.

    filter {
      if [event.field_name] == "value" {
        drop { }
      }
    }

Ishaan · March 15, 2021, 8:47pm

Can we compare with the value present in a file (local storage)?

aaron-nimocks · March 15, 2021, 8:57pm

Yes. If you know all the options for the name you can do something like

    filter {
      if [fieldname] or [fieldname2] or [anotherway] or [afourth] {
        drop { }
      }
    }

Badger · March 16, 2021, 1:27am

Your question is not entirely clear, but if you are asking what I think you are asking you might be able to do it with a translate filter, otherwise you could do it in ruby, use the init option to load the file, build an array of entries, then test array membership in the code option and call event.cancel if you want to drop the event.

system · April 13, 2021, 1:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Check existence of a field and checking null value in field Logstash	4	14065	July 6, 2017
Check if field value is present at certain file Logstash	1	776	May 26, 2017
Best way to drop event based on the value(in an array) of a field Logstash	2	423	June 12, 2020
Ruby filter to check fields dynamically Logstash	10	972	October 4, 2022
Field value filter Logstash	7	4432	September 1, 2017

How can I check event.field value from a file?

Related topics