Skip to main content
Question

Can I filter meta data in a custom Event Breaker Ruleset?

  • March 11, 2025
  • 7 replies
  • 36 views
R

Hi All,using HEC Input I set meta data fields like index, sourcetype, and so on. Can I filter them in a custom Event Breaker Ruleset?So basically the question is, what is applied first, the Event Breaker Ruleset or Fields?Cheers, Mario

    7 replies

    B

    Hi Mario. Event Breaker are the first thing that is always applied. Adding Fields in the source comes after that. Therefore filtering needs to happen in a pipeline.

    R
    • Rob Franz
    • Author
    • Employee
    • March 11, 2025

    0

    R
    • Rob Franz
    • Author
    • Employee
    • March 11, 2025

    Hi <@UGDQ4TRB2&gt;and is it possible to filter on `__hecToken` in a custom Event Breaker Ruleset?To clarify a bit more: This is about HEC input and how to apply custom Event Breaker Ruleset. That said, the filter I reffer to is to filter the data which should use my custom Breaker (see Screenshot). I need this one, because the standard `Max Event Bytes`is to low.

    B

    I am not sure if __hecToken is already present at EventBreaker time, I actually doubt it. But to be tested and confirmed.About using the Event Breaker. What about using a combination of inputID and field match or worst case regex using match, includes, startsWith EndWith etc.?

    R
    • Rob Franz
    • Author
    • Employee
    • March 11, 2025

    Thanks a lot.I will try and let you know, otherwise I will find something in _raw to filter on.

    S
    • SonOfBuzi
    • Inspiring
    • March 11, 2025

    __hecToken works in event breaker filter i have a few setup like that

    R
    • Rob Franz
    • Author
    • Employee
    • March 11, 2025

    <@U020VPXGT34&gt; Thanks for your feedback on this.

    Terms & ConditionsAccessibility statement