How to discard message with level less of an ip?

Hi all,
i’m testing, so thousand of question… google help but sometimes i cannot find answers…

There is a way to discard message with level less than 4 and from a specific ip ?

thanks all

You could use pipeline rules:

rule "Drop Message"
when
  ( has_field("Log_Level") && to_long($message."Log_Level") <= 4 )
  AND
  contains(
  value: to_string($message."srcip"),
  search: "127.0.0.1",
  ignore_case: false
)
then
  drop_message();
end

Note you would have to change “Log_Level” and “srcip” to match the relevant fields in your index.

Once you created the rule, you would create a pipeline, apply it to the stream that contains the messages you need to filer, and then add the rule to the pipeline.

Edit: Also you would have to change “127.0.0.1” to match the IP you which to filter.

1 Like

sorry, i made some test with no result, maybe i’m tired.
I tried to semplify my rule, but cannot write a correct rule anyway… now i’m trying to simple delete a message with this rules:

rule “rimuovi messaggi inutili”
when
contains (to_strin(&message.message, “/var/log/traffic.log which reached max size”))
then
drop_message();
end

what is wrong with it ?

Hey @marcottt

Try the below

rule "rimuovi messaggi inutili"
when
contains(to_string($message.message), "/var/log/traffic.log which reached max size")
then
drop_message();
end

You were not far off, just some syntax differences.

2 Likes

works. thank, maybe i was a bit tired…