Processor in cascade

franco.federico · December 7, 2019, 3:11pm

Hi all

I think to use processor, I'd like to know if it possible to do this

processors:
  - add_filed: 
    fields:
      name: "pippo","pluto","paperino"
processors:
- if:
contains:
  name: "pluto"
      then: 
       - add_tags
         tags: true
         target: "is_found"
      else: 
        - drop_event

Do you think that is a correct configuration? I'd like to improve this processor in cascade with if contains change contains with another condition in order to check a field in winlogbeat like this

- if:
contains:
  name: winlog.eventdata.user

Thank you
Franco

andrewkroh · January 3, 2020, 3:36am

Aside from some indentation issues, yes, you can nest if statements. If your logic is getting to complicated to be represented in YAML you could also try the script processor.

processors:
- script:
    lang: javascript
    id: my_filter
    source: >
      function process(event) {
          var name = event.Get("name");
          if (name === "pluto") {
              event.Tag("is_found");
          } else {
              event.Cancel();
          }
      }

system · January 31, 2020, 3:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Processors syntax Beats auditbeat	3	435	March 25, 2019
Filter winlogbeat Beats winlogbeat	3	769	October 28, 2019
Filtering events by message contents / Custom Processor Beats winlogbeat	8	2874	November 28, 2016
Send event logs to pipeline based on event_id Beats winlogbeat	6	399	November 4, 2020
If statement in winlogbeat configuration Beats winlogbeat	3	298	September 5, 2023

Processor in cascade

Related topics