Hi,
I want to filter out Checkpoint events based on two different conditions:
1. It comes from a specific IP XX.XX.XX.XX, I have this information in host metadata field.
2. The action field after parsing the _raw can't be equal to allowed.
I can filter out these two conditions separately with stanzas like this:
[parse-action]
REGEX = action=accept
DEST_KEY = queue
FORMAT = nullQueue
[parse-hosts]
SOURCE_KEY = MetaData:Host
REGEX = (xx.xx.xx.xx|yy.yy.yy.yy)
DEST_KEY = queue
FORMAT = nullQueue
But I need that both of them are true at the same time, so I need to do a and between them.
How could I acomplish this?
Ps. I don't have the host info anywhere in the _raw data, so I can't use the same regex
Edit: Another approach will be to add the and condition in props.conf. This is the configuration right now:
TRANSFORMS-checkpoint_events = parse-action, parse-hosts
Instead of telling it to apply this after this, I want to apply this AND this
↧
And condition between two different SOURCE_KEY in a stanza inside transforms.conf or in props.conf
↧