Unable to write not equal condition with filebeat processor

Sourabh_Sharma1 · March 11, 2021, 11:44am

`

dissect:
tokenizer: '"%{pid|integer} - %{service.name} - %{service.status}"'
field: "message"
target_prefix: ""
- drop_event:
  when:
  not:
  equals:
  pid|integer: "105"

smaple logs:

"321 - App01 - WebServer is starting"
"105 - App01 - WebServer is starting"
"109 - App01 - WebServer is starting"
"115 - App01 - WebServer is starting"

this single not equal works fine. when I apply it with or condition it is not work.

processors:
#- add_host_metadata: ~
#- add_cloud_metadata: ~
#- add_docker_metadata: ~
#- add_kubernetes_metadata: ~

dissect:
tokenizer: '"%{pid|integer} - %{service.name} - %{service.status}"'
field: "message"
target_prefix: ""
drop_event:
when:
or:
not:
equals:
pid|integer: "105"
not:
equals:
pid|integer: "115"

2021-03-11T17:14:37.654+0530 INFO instance/beat.go:655 Beat ID: fecab980-bf36-4d77-a0b2-4fe49d64b99d
2021-03-11T17:14:37.661+0530 INFO instance/beat.go:390 filebeat stopped.
2021-03-11T17:14:37.661+0530 ERROR instance/beat.go:958 Exiting: error initializing processors: failed to initialize condition: missing or invalid condition
Exiting: error initializing processors: failed to initialize condition: missing or invalid condition`

system · April 8, 2021, 1:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
If then else not working in FileBeat processor Beats filebeat	2	2821	February 24, 2022
Journalbeat processor logical operators fail with expanded notation Beats journalbeat	4	1064	November 4, 2022
Drop_event processor with not and or condition filters out all event Beats filebeat	4	38	July 16, 2024
Indentation error on filebeat conf Beats filebeat	5	405	July 22, 2022
Can anyone guide me to correct autodiscover condition? Beats filebeat	9	1132	August 25, 2022

Unable to write not equal condition with filebeat processor

smaple logs:

Related Topics