filter in eval function

Question

HI all

I am trying to create a pipeline where all syslog data will land and i want to filter the events from device i want based on a string in _raw filed like firewall or any other unique string.

i have tried _raw.includes(‘Firewall’) or /Firewall/ though when i check in advanced mode in filter tab it matches the correct event but when i am checking it on a sample log i have built for testing it passes all the events regardless of filter.

I know this can be done in routes itself but still would prefer if i could build a pipeline and more function inside it for each sources.

rcalvert · Answer

To selective drop events within a Pipeline, you will want to use the drop function rather than Eval.

Details from docs:
https://docs.cribl.io/stream/drop-function/
The Drop Function deletes any events that meet its Filter expression. This is useful when you want to prevent certain events from continuing to a Pipeline’s downstream Functions.

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded