Need assistance on combined processors within metricbeat module

J_Weeda · January 7, 2021, 8:36am

Hello, I need assistance on getting a combined processor up and running.
Situation: I'm running metricbeat 7.9.1. I would like to set up the metricbeat to monitor windows services when:

windows.service.display_name start with 'XYZ' AND
windows.service.start_type is Automatic

I have tried many notations among which below but I can't get the filtering implemented:
`processors:

    - drop_event:

        when:

            and:

                not.regex:

                        - windows.service.display_name: "^XYZ.*"

                not.equals:

                        - windows.service.start_type: "Automatic"`

How do I achieve this?

jsoriano · January 12, 2021, 7:41pm

Hey @J_Weeda,

It seems that you are negating the conditions, could you try with the following config, without the nots?

    - drop_event:
        when:
            and:
                regex:
                        - windows.service.display_name: "^XYZ.*"
                equals:
                        - windows.service.start_type: "Automatic"`

system · February 9, 2021, 9:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.