Pass multiple conditions as an array to drop_event

Hi,

I am trying to pass multiple values as an array to drop_event

This works

      processors:
      - drop_event:
          when:
             contains:
                message: "Starting Session"

But I have multiple strings to match

The both below doesn't

      processors:
      - drop_event:
          when:
             contains:
                message: ["Starting Session","Started Session","Removed slice User"]

          processors:
          - drop_event:
              when:
                 contains:
                    message:
                      - "Starting Session"
                      - "Started Session"
                      - "Removed slice User"

What am I doing wrong here?

Hey @jibsonline,

I am not sure if contains supports multiple values in the same condition, you would need to define multiple contains conditions joined by an or condition, something like this:

          processors:
          - drop_event:
              when:
                 or:
                   - contains.message: "Starting Session"
                   - contains.message: "Started Session"
                   - contains.message: "Removed slice User"

Or you may try to build a condition using a single regular expression, something like this:

          processors:
          - drop_event:
              when:
                 regexp:
                   message: "(Starting Session|Started Session|Removed slice User)"
1 Like

Thanks. So what does this do

message: ["Starting Session","Started Session","Removed slice User"]

As mentioned in the documentation

Where is this mentioned in the documentation? I think that only some conditions support something like this.

https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-contains

contains
The contains condition checks if a value is part of a field. The field can be a string or an array of strings. The condition accepts only a string value.

But it doesn't say what condition is satisfied when "an array of strings" are passed. People tend to assume it will match on "any"

Oh, this means that the field in the document can be a string or an array of strings, in that case the condition matches if any of these strings matches.
But the documentation also mentions that "The condition accepts only a string value".

But the condition doesn't trigger when any of the strings matches. You can refer to my initial post

In your initial post you are passing arrays of strings to the condition, but as documentation says, "The condition accepts only a string value".

When the documentation says that the field can be an array of strings, it means that if you have field in a document that is an array of strings, like tags int this one:

{
  "tags": [
    "session",
    "start"
  ]
}

And a condition like this one:

      processors:
      - drop_event:
          when:
             contains:
                tags: "session"

The condition will match.

Let me know if this helps to clarify. I see that mentioning that the field can be an array of strings can be confusing, but I think the docs are clear about not accepting arrays in the condition.

Got it. I missed "The field" part of it. Misinterpreted it as "The condition" can can be a string or array.

But still it should throw an error when an unacceptable mapping is found for the condition because it says " "The condition accepts only a string value" .

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.