I want to check if "domain" and "[100]" in [message] { drop { } } but it is dropping only first "domain" and not "[100]".
What am I doing wrong?
I believe that is testing is the field [domain] exists and whether the string [100] is a substring of [message]. What do you actually want to test?
I need to test two conditions before dropping the log. If message has "domain" and "[100]" then drop it else not.
Do you want to test whether it contains those two strings?
Yes if those exists in one message.
Then you need two substring matches. I think that would be
if "domain" in [message] and "[100]" in [message] { drop { } }it works only with string or numbers I tried with just 100 and it worked but did not worked with "[100]". Just for curiosity does it have any limitations for certain charterers? like ""
I am unable to explain that.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.