[SOLVED] Drop when a field is equal to

Alex_Lum · June 27, 2016, 7:40am

Hello all.
A new question, i need to drop lines when a fieldname is equal to something.

example :
Jun 27 09:27:37 10.0.6.1 date=2016-06-27 time=09:27:37 logid=0000000013 type=traffic subtype=forward level=notice dstintf="dmz" poluuid=e7a26648-eda7-51e4-5b13-a447d7d36689 sessionid=97003569 proto=6 action=close policyid=110 policytype=policy dstcountry="Reserved" srccountry="Reserved" trandisp=noop duration=2 sentbyte=1383 rcvdbyte=4979 sentpkt=8 rcvdpkt=9 appcat="unscanned"

if dstinf="dmz" then drop

how can i make that?
Thanks.

mourlos · June 27, 2016, 7:45am

Hi,

Assuming that you already use a filter to break down each field, you can use something like this:

[CODE]
filter {

Drop specific events

if [dstinf] == "dmz" {
drop { }
}
}
[/CODE]

Hope it helps. (In case you use it, make sure that the fields and values are the correct ones)

Alex_Lum · June 27, 2016, 8:12am

Thak you very much.
It works.
topic closed.