Lucien Boix
Lucien Boix

Posted on

[Filebeat] how to combine "and" and "not" conditions

Let's say you ended up on the official documentation page for conditions that you can use with processors and you want to use both "and" & "not" keywords at the same time, but it's not as easy as it sounds regarding dashes and indentation.

Here is a snippet that may help you, I use it to only push logs from kube-system namespace that belong to pod named kube-dns :

  - drop_event:
          - equals:
              kubernetes.namespace: "kube-system"
          - not.contains:
Hope it helps, do not hesitate in comments to let me know or suggest other tips.

Have a great day!

