Hi,
I want to filter out Checkpoint events based on two different conditions:
1. It comes from a specific IP XX.XX.XX.XX, I have this information in host metadata field.
2. The action field after parsing the _raw can't be equal to allowed.
I can filter out these two conditions separately with stanzas like this:
[parse-action]
REGEX = action=accept
DEST_KEY = queue
FORMAT = nulQueue
[parse-hosts]
SOURCE_KEY = MetaData:Host
REGEX = (xx.xx.xx.xx|yy.yy.yy.yy)
DEST_KEY = queue
FORMAT = nulQueue
But I need that both of them are true at the same time, so I need to do a and between them.
How could I acomplish this?
Ps. I don't have the host info anywhere in the _raw data, so I can't use the same regex
↧