Hi there, so I am receiving syslogs with different formats. I ONLY want to grok out the ones that have the characters "[App/" in them. The others, I would like to ignore and NOT send to ES.
Here's an example of a log:
249 <14>1 2018-09-05T18:12:19.71683+00:00 eTDS.Dev.redge-ms-dev 27fb291c-5b1f-4b6c-aac4-44fa261f400a [APP/PROC/WEB/0] - - at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496) [tomcat-embed-core-8.5.31.jar!/:8.5.31]
What I thought I could do was this:
if [type] == "syslog"
if "[APP/" in [message]
match => grokpattern here
But it still seems to be passing on the logs that do NOT contain [APP/
Any ideas? What am I missing?
Update: Ok, I see what it's doing. It's doing what I am telling it to do I suppose.. when it sees a log that doesn't have "[APP/", it doesn't try and parse it which results in no grokfailure (good), but still sends it on to ElasticSearch (bad).
So do I have to add an else statement and add a 'tag' and then in the output ONLY send logs that don't have that tag?