Hi,
I'm trying to filter out some data but for some reason the conditional I'm using isn't working. I'm using a similar config for another log and there it's working fine.
I also tried putting the conditional after renaming the fields in case child fields somehow where causing the issue but that isn't working either. What am I doing wrong?
filter {
if [type] == "netflow" {
if [netflow][l4_src_port] == "8888" {
drop { }
}
if [netflow][l4_dst_port] == "8888" {
drop { }
}
mutate {
add_field => { "location" => "A" }
rename => { "[netflow][ipv4_dst_addr]" => "ipv4_dst_addr" }
rename => { "[netflow][ipv4_src_addr]" => "ipv4_src_addr" }
rename => { "[netflow][l4_src_port]" => "l4_src_port" }
rename => { "[netflow][l4_dst_port]" => "l4_dst_port" }
rename => { "[netflow][out_bytes]" => "out_bytes" }
rename => { "[netflow][in_bytes]" => "in_bytes" }
rename => { "[netflow][in_bytes]" => "in_bytes" }
rename => { "[netflow][protocol]" => "protocol" }
}
mutate {
remove_field => [ "@version", "host", "netflow" ]
}
}
}