Remove whole documents with certain value in field

Elastic Stack Logstash
1

Hello there
I have apache logs in which are documents that I want to remove completely.
Whole documents not fields so I do not want to use remove_field in mutate.
I have tried drop:

filter {
      if "field_name" == "exact_value" {
        drop {}
      }
      }

so it looked like this in final:

filter {
      if "url.original" == "/im/nagios.plc" {
        drop {}
      }
      }

But it will not work, the documents are still there.
I have also tried drop { } with space inside.
I have tried [url.original] and [url.original] ==>
Logs of logstash will not show any problems.

I prefer not to create tags and then delete the documents with tags but if there will be no other way I will do it

Thank you for help!

2

Is url.original a field with a period in its name, or is it a url object that contains an original field, in which case you should refer to it as [url][original] in logstash?

3

It is unfortunately field with period. That is why I finally chose to put it in " " instead of brackets.
And for this particular value is exactly: /im/nagios.plc
I did not know if REGEX will work, so I chose exact value.

4

In that case I would expect that to work.

5

I restarted logstash, refreshed indexes. Nothing.
Maybe I will wait till next index will be created and it will not have this documents?

6

I found the answer. The if statement was good, but I fixed my format of apache logs.