Hi all,
i’m testing, so thousand of question… google help but sometimes i cannot find answers…
There is a way to discard message with level less than 4 and from a specific ip ?
thanks all
Hi all,
i’m testing, so thousand of question… google help but sometimes i cannot find answers…
There is a way to discard message with level less than 4 and from a specific ip ?
thanks all
You could use pipeline rules:
rule "Drop Message"
when
( has_field("Log_Level") && to_long($message."Log_Level") <= 4 )
AND
contains(
value: to_string($message."srcip"),
search: "127.0.0.1",
ignore_case: false
)
then
drop_message();
end
Note you would have to change “Log_Level” and “srcip” to match the relevant fields in your index.
Once you created the rule, you would create a pipeline, apply it to the stream that contains the messages you need to filer, and then add the rule to the pipeline.
Edit: Also you would have to change “127.0.0.1” to match the IP you which to filter.
sorry, i made some test with no result, maybe i’m tired.
I tried to semplify my rule, but cannot write a correct rule anyway… now i’m trying to simple delete a message with this rules:
rule “rimuovi messaggi inutili”
when
contains (to_strin(&message.message, “/var/log/traffic.log which reached max size”))
then
drop_message();
end
what is wrong with it ?
Hey @marcottt
Try the below
rule "rimuovi messaggi inutili"
when
contains(to_string($message.message), "/var/log/traffic.log which reached max size")
then
drop_message();
end
You were not far off, just some syntax differences.
works. thank, maybe i was a bit tired…
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.