whitelist

Similar to blacklist, this processor will compare a certain field to a whitelist, and match if the list does not contain the term

Synopsys

whitelist {
    # The name of the field to use to compare to the whitelist.
    # If the field is null, those events will be ignored.
    compare_field => "message"

    # A list of whitelisted terms.
    # The compare_field term must be in this list or else it will match.
    terms => ["val1","val2","val3"]

}

Available settings

Setting Type Info Default value
compare_field string required ""
ignore_missing bool true
terms array required []

Common Options

Details

compare_field

  • This is a required setting
  • Value type is string
  • Default value is ""
  • The name of the field to use to compare to the whitelist. If the field is null, those events will be ignored.

    ignore_missing

  • Value type is bool
  • Default value is true
  • If true, events without a compare_key field will not match.

    terms

  • This is a required setting
  • Value type is array
  • Default value is []
  • A list of whitelisted terms. The compare_field term must be in this list or else it will match.

    Full configuration blueprint

    Expand me...