I would like to filter out the string "Alert" in the message field of my index. The field is a keyword field. To achieve this, I have written the following:
filter {
mutate {
add_field => {"secret" => "<my_secret>"}
}
elasticsearch {
hosts => ["<my_host>:9200"]
ssl => true
ca_file => "/etc/ssl/certs/ca-certificates.crt"
index => "<my_index>"
query => 'message: "Alert"'
user => "<my_user>"
password => "<my_password>"
fields => {
"message" => "[@metadata][message]"
}
}
It does not achieve the desired result. I believe I am missing something fundamental.