I'm trying to drop events going into my Index in Opensearch where if the value in the "delay" field is less than 500 drop it.
I've tried doing this with the following code in my ingest pipeline for that index but doesn't seem to be doing what I want it to and not giving any errors to suggest there is an issue.
"drop": {
"if": "ctx.delay <= '500'"
}
I have tried without putting single quotes around the 500 number and when I remove ctx it fails the pipeline request.
The delay field is a field I have managed to extract from the message field via a grok expression and I've set this to numerical in both the grok expression and via the index mappings and it shows up in Opensearch as it's own field and and is shown as a numerical field.
However, all the examples I see regarding the drop processor all seemed to be based on string value and are always done like if the value contains or if the value is ==.
I was wondering if anyone has done this before to see if it's possible to use the drop processor this way and if so how did you manage to get it to work.
Thanks.