Hi,
There are some clients in our cluster that are sending logs longer than 1500 characters, these logs are basically useless. I was wondering if there was a way to block these kinds of logs entirely.
Thanks in advance.
To drop a message over 1500 chars, should be something like this:
ruby { code => "event.set('[linelength]', event.get('[request]').length)" }
mutate {
convert => { "linelength" => "integer" }
}
if [linelength]>1500 {
drop { }
}
mutate {
remove_field => ["linelength"]
}
Other option is to keep this messages as proof of flooding/inconsistency and save in a separated index.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.