Hi All,using HEC Input I set meta data fields like index, sourcetype, and so on. Can I filter them in a custom Event Breaker Ruleset?So basically the question is, what is applied first, the Event Breaker Ruleset or Fields?Cheers, Mario
Page 1 / 1
Hi Mario. Event Breaker are the first thing that is always applied. Adding Fields in the source comes after that. Therefore filtering needs to happen in a pipeline.
0
Hi <@UGDQ4TRB2>and is it possible to filter on `__hecToken` in a custom Event Breaker Ruleset?To clarify a bit more: This is about HEC input and how to apply custom Event Breaker Ruleset. That said, the filter I reffer to is to filter the data which should use my custom Breaker (see Screenshot). I need this one, because the standard `Max Event Bytes`is to low.
I am not sure if __hecToken is already present at EventBreaker time, I actually doubt it. But to be tested and confirmed.About using the Event Breaker. What about using a combination of inputID and field match or worst case regex using match, includes, startsWith EndWith etc.?
Thanks a lot.I will try and let you know, otherwise I will find something in _raw to filter on.
__hecToken works in event breaker filter i have a few setup like that
<@U020VPXGT34> Thanks for your feedback on this.
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.