Hello, I'm trying to drop events using the following filter but its not working:
if [event_id] == 4658 and [event_data.ProcessName] == "C:\Windows\System32\CpqMgmt\cqmghost/cqmghost.exe" {
drop {}
}
I've tried using double slashes '\' and using forward slashes in the path but the event is till appearing in the index - can anyone tell me where I'm going wrong?
Thanks.
Two potential problems:
event_id field is a string and you're comparing it to an integer.ProcessName field is nested under event_data and you're using the wrong syntax for nested fields. See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references.Hello, event_id is a number type in my index so when I've dropped other events for example [event_id] == "1234" did not work, I had to remove the quotes before it would drop the events.
I've managed to drop the event just by using event ID and computer name, I didn't know about nested fields though, thanks for the info.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.