Unable to Drop syslog messages based on message contents

Hello,

Have you tried.

contains(to_string($message.msg), "DUPLEX_MISMATCH") 

By chance is that a custom field “message.msg”?

Have you seen this post?