'when not' not working

Hi guys, trying to push all log messages that contain 'Failed' or 'ERROR', but doesn't seem to like my syntax. I have looked at the syntax quite a bit but can't seem to nail it down. Didn't find any examples of "when not" for message.

    processors:
      - add_host_metadata: ~
      - add_cloud_metadata: ~
      - drop_event:
            when:
                not:
                    message: "Failed"
                 or:
                    message: "ERROR"

Thanks in advance

I believe I've solved the problem by just putting it under the log as:

- type: log
  paths:
    - [path_here]
  scan_frequency: 10s
  include_lines: ['Failed', 'ERROR']

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.