Capture Message

Hi Team,
I am testing my log stash output and found that it is stashing as below.
But, I would like to know how can I match and capture only the entries in the log - "Sign on javacode failed for user USERA"

Kindly help.

           "oprid" => "-",
         "@timestamp" => 2020-04-08T15:17:06.944Z,
        "log_message" => "Sign on javacode failed for user USERA@xxx.xxx.xx.xx..",
      "TOPInstanceID" => "1610670968891559937",
               "path" => "/searchtech/logstash-7.6.1/bin/failelogin.log",
      "app_timestamp" => "2020-03-31T11:56:24.569",
               "host" => "nonelastic",
          "serequest" => "437",
          "timestamp" => 2020-03-31T11:56:24.569Z,
           "@version" => "1",
            "process" => "JVM",
             "prcsid" => "128077",
            "service" => "login",
          "log_level" => "3",
               "SRID" => "c9qnpn/QLB2UyA"
}
{
              "oprid" => "-",
         "@timestamp" => 2020-04-08T15:17:06.944Z,
        "log_message" => "(502): USERA@xxx.xxx.xx.xx is an Invalid User ID, or you typed the wrong password.  Make sure you're typing in the correct upper and lower case.",
      "TOPInstanceID" => "1610670968891559937",
               "path" => "/searchtech/logstash-7.6.1/bin/failelogin.log",
      "app_timestamp" => "2020-03-31T11:56:24.569",
	           "host" => "nonelastic",
          "serequest" => "437",
          "timestamp" => 2020-03-31T11:56:24.569Z,
           "@version" => "1",
            "process" => "JVM",
             "prcsid" => "128077",
            "service" => "login",
          "log_level" => "1",
               "SRID" => "c9qnpn/QLB2UyA"
}

Are you saying that you want to drop events that do not contain "Sign on javacode failed for user" in the [log_message] field? You could do that using

if "Sign on javacode failed for user" not in [log_message] { drop {} }

Thank you!.. That worked.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.