I am trying to code my filter to drop an event when three specific fields contain the text "Other", but cant seem to get events actually to drop. Here is the statement I am using, do I have the syntax and format correct? If not, please let me know what I did wrong.
if [ua.device] == "Other" and [ua.name] == "Other" and [ua.os] == "Other" { drop { id=> "drop noisy EWS chatter" } }
[ua.device] references a field with a dot in its name. [ua][device] reference an object that contains a field called device. You most likely want the latter.
Awesome, that took care of it! Thanks for the consult!!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.