Blocking logs with certain conditions


There are some clients in our cluster that are sending logs longer than 1500 characters, these logs are basically useless. I was wondering if there was a way to block these kinds of logs entirely.

Thanks in advance.

To drop a message over 1500 chars, should be something like this:

  ruby { code => "event.set('[linelength]', event.get('[request]').length)" }

  mutate { 
       convert => { "linelength" => "integer" } 

  if [linelength]>1500 {
       drop { }
  mutate {
       remove_field => ["linelength"]

Other option is to keep this messages as proof of flooding/inconsistency and save in a separated index.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.