this my logstash.conf i want to drop all lines that begin with "(" into message but logstash is not showing the data in the console and is not sending it to logstash.
input {
beats {
port => 5044
}
}
filter {
split {
field => "message"
terminator => "\n"
}
if [message] =~ "^\("
{
drop { }
}
}
output {
#Sending properly parsed log events to elasticsearch
elasticsearch {
hosts => ["localhost:9200"]
index => "indeed"
}
stdout {
codec => rubydebug
}
}
this my filebeat.yml
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- C:\elasticstack\filebeat-7.10.2-windows-x86_64\filebeat-7.10.2-windows-x86_64\logs\test.log
#- c:\programdata\elasticsearch\logs\*
exclude_lines: ['^\(', '^[[:space:]]']
include_lines: ['^(3[01]|0[1-9]|[12][0-9])(-?)(1[0-2]|0[1-9])(-?)([0-9]{4})[[:space:]]([0-9]{2}):([0-9]{2}):([0-9]{2})', 'ETAPE']
multiline.pattern: 'CLOCTRL[[:space:]]\d'
multiline.negate: true
multiline.match: after
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]