blacklist

The blacklist rule will check a certain field against a blacklist, and match if it is in the blacklist.

Synopsys

blacklist {
    # The name of the field to use to compare to the blacklist.
    # If the field is null, those events will be ignored.
    compare_field => "message"

    # List of blacklisted terms.
    # The compare_field term must be equal to one of these values for it to match.
    terms => ["val1","val2","val3"]

}

Available settings

Setting Type Info Default value
compare_field string required ""
terms array required []

Common Options

Details

compare_field

  • This is a required setting
  • Value type is string
  • Default value is ""
  • The name of the field to use to compare to the blacklist. If the field is null, those events will be ignored.

    terms

  • This is a required setting
  • Value type is array
  • Default value is []
  • List of blacklisted terms. The compare_field term must be equal to one of these values for it to match.

    Full configuration blueprint

    Expand me...