We have updated our Terms of Service, Code of Conduct, and Addendum.

Can I filter meta data in a custom Event Breaker Ruleset?

Rob Franz
Rob Franz Posts: 33 mod
in General Discussions

Hi All, using HEC Input I set meta data fields like index, sourcetype, and so on. Can I filter them in a custom Event Breaker Ruleset? So basically the question is, what is applied first, the Event Breaker Ruleset or Fields? Cheers, Mario

Answers

  • bradleychambers
    bradleychambers Posts: 3 mod

    Hi Mario. Event Breaker are the first thing that is always applied. Adding Fields in the source comes after that. Therefore filtering needs to happen in a pipeline.

  • Rob Franz
    Rob Franz Posts: 33 mod

    Hi <@UGDQ4TRB2&gt; and is it possible to filter on `__hecToken` in a custom Event Breaker Ruleset? To clarify a bit more: This is about HEC input and how to apply custom Event Breaker Ruleset. That said, the filter I reffer to is to filter the data which should use my custom Breaker (see Screenshot). I need this one, because the standard `Max Event Bytes`is to low.

  • Rob Franz
    Rob Franz Posts: 33 mod

    0

  • bradleychambers
    bradleychambers Posts: 3 mod

    I am not sure if __hecToken is already present at EventBreaker time, I actually doubt it. But to be tested and confirmed. About using the Event Breaker. What about using a combination of inputID and field match or worst case regex using match, includes, startsWith EndWith etc.?

  • Rob Franz
    Rob Franz Posts: 33 mod

    Thanks a lot. I will try and let you know, otherwise I will find something in _raw to filter on.

  • SonOfBuzi
    SonOfBuzi Posts: 12

    __hecToken works in event breaker filter i have a few setup like that

  • Rob Franz
    Rob Franz Posts: 33 mod

    <@U020VPXGT34&gt; Thanks for your feedback on this.

Categories