Drop Events Based on Specific Field Values or Patterns

Drop events based on specific field values or patterns during normal searching using the dropEvent() function with case statement

Query

logscale
case {
fielda = badresult | dropEvent();
fieldb = badresult | dropEvent();
wildcard("badip", field[fieldc, fieldd] | dropEvent())
}

Introduction

The dropEvent() function can be used both during queries and within the parser pipeline.

In this example, the dropEvent() function is used within normal searching with a case statement to drop events based on specific values and patterns. When used within normal searching, the dropEvent() function is simply an alias for false - it behaves the same as false. It filters out specific events from the results.

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0["Drop Event"] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    case {
fielda = badresult | dropEvent();
fieldb = badresult | dropEvent();
wildcard("badip", field[fieldc, fieldd] | dropEvent())
}

    Starts a case statement containing the following three conditions:

    If fielda equals badresult, drop the event.

    If fieldb equals badresult, drop the event.

    If either fieldc or fieldd contains the string badip (using wildcard matching), drop the event.

    Each condition uses the dropEvent() function as the action to take when the condition is met. The wildcard() function is used in the third condition to perform pattern matching with wildcards against multiple fields specified in the array notation field[fieldc, fieldd].

  3. Event Result set.

Summary and Results

This query is used to drop events based on specific field values or patterns. In all three cases, the events that contain the filtered information will be removed from the results. This is useful, for example, for event processing or log filtering.