Skipping certain number of lines after regex match

#1 mime 4 years ago

Please, could you advise how to skip (drop) certain number of next log lines after the $raw_event matches (Exec if $raw_event =~ / .... / drop();) ??? Thanks!

Permalink

#2 ArkadiyDeactivated Nxlog ✓ 4 years ago

#1 mime

Please, could you advise how to skip (drop) certain number of next log lines after the $raw_event matches (Exec if $raw_event =~ / .... / drop();) ??? Thanks!

Hi. You could use counters and simple if-else conditioning like this:

    <Exec>
        create_stat('counter', 'COUNT');
        if $raw_event =~ /some_pattern/ and get_stat('counter') == 3 {
            add_stat('counter', -3);
        } else if get_stat('counter') < 3 {
            drop();
        }
    </Exec>

It will drop every three events after something which trigger regex. Please take a look and give it a try.
Regards, Arch