I am having a very strange situation where I have the following filter rule
if [logger_name] == "REPORT" {
drop {}
}
and I expect that any events with my field_name == "logger_name" with that specific value will be dropped, but it seems that those aren't. Anyone shedding any light on it? I will really appreciate it. Note that I have preceding and succeeding additional filter rules too. Any other area that I have skipped to look into?
It worked for me, i have added if condition inside filter but outside grok tag, below is my code.
Dont get confused with my pattern. just see if condition, it is using the column name given in match creteria
filter {
grok {
patterns_dir => ["test/mylog/pattern"]
match => { "message" => "%{GREEDYDATA_END_NOSPACE:logTimestamp}%{ZERO_OR_MORE_SPACE}[%{TT_TS_LOG_TYPE:logType}]%{ZERO_OR_MORE_SPACE}"%{GREEDYDATA:logMsg}"" }
}
if [logType] == "I" {
drop {}
}
}