- Version: 7.6.1
- Operating System: Ubuntu 16.04
Creating a journalbeat configuration using logical operators according to the documentation causes failures:
processors:
- drop_event:
when:
or:
- equals:
systemd.unit: "another-random.service"
- equals:
systemd.unit: "journalbeat.service"
On start: Exiting: error initializing processors: failed to initialize condition: missing or invalid condition
Collapsing the equals into dot-notated entries works:
processors:
- drop_event:
when:
or:
- equals.systemd.unit: "another-random.service"
- equals.systemd.unit: "journalbeat.service"
Huge thanks to mark54g and csaide for help with the workaround!
1 Like
Hi welcome to the board,
this doesn't sound much like something to solve here, but more to shout out kudos for the 2 folks.
Am I correct or do I miss here something?
From the bug report page:
Please post all questions and issues on Beats - Discuss the Elastic Stack
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.
So here is my bug report, please feel free to manage it however your process requires. Everything needed to reproduce is above, but if it does become an issue please tag me (vir-dis) so that I can monitor.
Ah, ok. I got it.
But in this case this doesn't seem to be really a bug, but more an indentation issue:
Can you try please something like that?
processors:
- drop_event:
when:
or:
- equals:
systemd:
unit: another-random.service
- equals:
systemd:
unit: journalbeat.service
https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-equals
https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-or