I want to monitor only limited number of mount points using metric beat. How do I filter out the rest?
I did come across a filter -
filters:
- drop_event.when.regexp.mount_point: '^/(sys|cgroup|proc|dev|etc|host)($|/)'
Is this the only option around? This is for exclusion but not inclusion(which I require). This can be tweaked to somewhat serve my purpose but if only I do not get anything.
filters:
- drop_event.when.regexp.mount_point: ^((?!(/opt/apache|/opt/avamar/6)).)*$'
Probably you can use not condition here, take a look to https://www.elastic.co/guide/en/beats/filebeat/current/configuration-processors.html#condition-not
Thank you so much @exekias.
This worked for me.
Below is a working sample -
filters:
- drop_event:
when:
and:
- not:
equals:
mount_point: "/"
- not:
equals:
mount_point: "/boot"
- not:
equals:
mount_point: "/home"
- not:
equals:
mount_point: "/images"
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.