Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter conditions when field is present or not present. #6285

Closed
gwsales opened this issue Feb 5, 2018 · 4 comments
Closed

Filter conditions when field is present or not present. #6285

gwsales opened this issue Feb 5, 2018 · 4 comments
Labels
enhancement good first issue Indicates a good issue for first-time contributors libbeat

Comments

@gwsales
Copy link

gwsales commented Feb 5, 2018

Need added filter conditions to filter on events that do or do not have specific fields present in the events.

Logstash Example to be ported to winlogbeats:

if ![field] {
drop {}
}
or
if [field]{
drop {}
}

Current workaround is to do a regex with .* or a not regex .*.
@exekias exekias added enhancement libbeat good first issue Indicates a good issue for first-time contributors labels Feb 6, 2018
@exekias
Copy link
Contributor

exekias commented Feb 6, 2018

I'm 👍 to this feature, having a condition to check if a field (or list of fields) exist would be very useful

@videetssinghai
Copy link

Hey If anyone isn't working on this, can I take this up?
Please provide some guidance to start

@exekias
Copy link
Contributor

exekias commented Feb 28, 2018

Awesome @videetssinghai 🎉, as far as I know, no one is working on this, so feel free to give it a try! Here you have some useful pointers:

  1. Docs on existing conditions: https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#conditions
  2. Implementation of current conditions: https://github.com/elastic/beats/blob/master/libbeat/processors/condition.go

@sriranganathan sriranganathan mentioned this issue Mar 24, 2018
Merged
sriranganathan added a commit to sriranganathan/beats that referenced this issue Mar 28, 2018
@sriranganathan
Add Condition to check if a list of fields exists
1994899 
- Create condition to check whether the give list of fields exist in the event
- Add Tests for the created condition
- Add Documentation for the created condition
- closes - elastic#6285
@andrewvc
Copy link
Contributor

Closing, was fixed in #6653

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement good first issue Indicates a good issue for first-time contributors libbeat
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andrewvc @exekias @videetssinghai @gwsales