Need assistance on combined processors within metricbeat module

J_Weeda · January 7, 2021, 8:36am

Hello, I need assistance on getting a combined processor up and running.
Situation: I'm running metricbeat 7.9.1. I would like to set up the metricbeat to monitor windows services when:

windows.service.display_name start with 'XYZ' AND
windows.service.start_type is Automatic

I have tried many notations among which below but I can't get the filtering implemented:
`processors:

    - drop_event:

        when:

            and:

                not.regex:

                        - windows.service.display_name: "^XYZ.*"

                not.equals:

                        - windows.service.start_type: "Automatic"`

How do I achieve this?

jsoriano · January 12, 2021, 7:41pm

Hey @J_Weeda,

It seems that you are negating the conditions, could you try with the following config, without the nots?

    - drop_event:
        when:
            and:
                regex:
                        - windows.service.display_name: "^XYZ.*"
                equals:
                        - windows.service.start_type: "Automatic"`

system · February 9, 2021, 9:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to create a proper processor for windows module to filter certain services Beats windows , metricbeat	2	493	August 5, 2020
Metricbeat service terminates when `or` condition in `drop_event` Beats metricbeat	3	1078	February 5, 2018
Metricbeat 7.0.1 Windows Module Services Beats metricbeat	7	1020	July 3, 2019
Metricbeat 7.3 windows module sevice metricset filter error Beats metricbeat	1	365	August 29, 2019
Metricbeat windows module not working as expected Beats metricbeat	1	166	August 21, 2023

Need assistance on combined processors within metricbeat module

Related topics