I am trying to code my filter to drop an event when three specific fields contain the text "Other", but cant seem to get events actually to drop. Here is the statement I am using, do I have the syntax and format correct? If not, please let me know what I did wrong.
if [ua.device] == "Other" and [ua.name] == "Other" and [ua.os] == "Other" { drop { id=> "drop noisy EWS chatter" } }
[ua.device] references a field with a dot in its name. [ua][device] reference an object that contains a field called device. You most likely want the latter.
Awesome, that took care of it! Thanks for the consult!!
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.