Metricbeat service terminates when `or` condition in `drop_event`

I'm using Metricbeat 6.1.1 on a Windows Server 2012.

My goal is to monitor services, but not all.

I'm using the drop_event processor to exclude events and the or condition to specify the services to exclude.

- module: windows
  metricsets: ["service"]
  period: 30s
  processors:
  - drop_event:
    when:
      or:
        - equals:
          windows.service.display_name: Service Display Name 1
        - equals:
          windows.service.display_name: Service Display Name 2
        - equals:
          ...
        - equals:
          windows.service.display_name: Service Display Name N

Less than 30s after starting the service, it silently terminates...

I ran metricbeat test modules windows service and metricbeat test config and both are okay. The former takes a bit of time to return something though.

However, I'm able to exclude one service but the configuration doesn't include the or condition.

- module: windows
  metricsets: ["service"]
  period: 60s
  processors:
  - drop_event:
    when:
      equals:
        windows.service.display_name: Service Display Name 1

I know that the Windows Service metricset is in beta. I just wanted to make sure that I was not doing anything wrong since I haven't seen discussions on this.

It looks like an indentation issue, try:

  - drop_event:
    when:
      or:
        - equals:
            windows.service.display_name: Service Display Name 1
        ...

Best regards

You're right, it's an indentation issue.

What you gave me didn't solve it though. Here is what solved it:

processors:
- drop_event.when:
    or: #Extra indentation on this line
      - equals:
          windows.service.display_name: Name1 #Extra indentation on this line
      - equals:
          windows.service.display_name: Name2 #Extra indentation on this line

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.