Is there a way to prevent specific events from being indexed? I don't mean specific fields, but conditionals for a field.
For example, we're ingesting netflow traffic data and I want to exclude all events that have both source and destination IPs from a specific range. While I know I can exclude these from search results, the point would be to cut down on the index sizes because netflow data is massive.
I'm guessing the best way might be with a pipeline processor, but honestly the docs for using pipelines is so arcane, I can't even get one to compile outside of something that's just descriptive. Even if I can get such a pipeline created, I don't know how it would get applied to the existing architecture.
Thanks, I'll give that a shot. I tried something similar with the cidr filter, setting a tag and then trying to drop by matching tags, but while Logstash didn't complain it also didn't work.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.