You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Provide a way to blacklist field values from unknown fields, aka from any/all/pattern matched field names without needing to explicitly list the field names individually, preferably using a regex pattern for the field name.
In this example, prune is used to remove fields with names containing any of a list of unwanted characters.
There's also a prune to remove fields with blacklisted values but blacklist_values requires each field name to be listed.
This doesn't work so well with some logging use cases where fields might be appearing in events that haven't yet been seen before or for ensuring certain items are blacklisted from all fields.
prune {
# can also be written as: blacklist_names => ["&","{","}",">",";",","]
blacklist_names => ["&{}>;,"]
}
prune {
blacklist_values => [ "bad_field_value1","(;|,|&|{|}|>)",
"bad_field_value2","(;|,|&|{|}|>)" ]
}
named fileprefix1-* that have a value with any of these chars (;|,|&|{|}|>)
named fieldprefix2-* that have a value containing a ; char
any field name with a < char
This would be a more complex loop and probably expensive on performance.
But as a starting point a way to blacklist values from any fields might be useful to begin with.
The text was updated successfully, but these errors were encountered:
Provide a way to blacklist field values from unknown fields, aka from any/all/pattern matched field names without needing to explicitly list the field names individually, preferably using a regex pattern for the field name.
In this example, prune is used to remove fields with names containing any of a list of unwanted characters.
There's also a prune to remove fields with blacklisted values but blacklist_values requires each field name to be listed.
This doesn't work so well with some logging use cases where fields might be appearing in events that haven't yet been seen before or for ensuring certain items are blacklisted from all fields.
but it would be more flexible to be able to do:
which would drop fields:
fileprefix1-*
that have a value with any of these chars(;|,|&|{|}|>)
fieldprefix2-*
that have a value containing a;
char<
charThis would be a more complex loop and probably expensive on performance.
But as a starting point a way to blacklist values from any fields might be useful to begin with.
The text was updated successfully, but these errors were encountered: