Issue with regex pattern for prune filter plugin blacklist_names

sai_kiran1 · July 23, 2019, 2:14pm

Hi There!

I am trying to ignore the fields a4, a5, a6....., a1100 from my audit logs and tried applying prune filter plugin with setting blacklist_names, but I see the fields a4, a5, a6..... are still incoming.

Can someone let me know if this is the correct way we use regex for prune Or suggest any way to achieve this particular scenario where I can ignore a specific set of fields?

Below is the setting that was implemented:

prune {
blacklist_names => ["^a[4-9][0-9][0-9][0-9]"]
add_tag => [ "pruned" ]
}

Thanks,
Sai

Badger · July 23, 2019, 2:22pm

No, it does not work that way. See this post.

sai_kiran1 · July 23, 2019, 3:38pm

@Badger Thanks for the reference , Does this work with field names as well ?
I need to check on field names and ignore if it falls in the list of field names

In my case field names are a4, a5, a6, a7.......a2000.

Badger · July 23, 2019, 3:54pm

Yes, in that example I am testing the value

                if v == ""
                    event.remove(k)
                end

But you could equally well test the key against whatever regexp you want

  if k =~ /^a[0-9]+/ ...

sai_kiran1 · July 25, 2019, 4:07pm

@Badger that helped me to achieve my requirement, Thank you.

Below is the code I used to ignore fields a4, a5, a6, a7.......a2000 keeping a0, a1, a2, a3

ruby {
                        code => "event.to_hash.each { |k, v|
                                        if k =~ /^a[4-9]/ || k=~ /^a[0-9]{2,}/
                                                event.remove(k)
                                                event.tag('ruby')
                                        end
                                        }
                                "
                }

system · August 22, 2019, 4:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.