Drop all grok matches

Elastic Stack Logstash
1

I want to obliterate everything this grok filter matches unconditionally is there a simple way? There are a lot of combinations so it's better if mated by grok otherwise I will be declaring a lot of conditions. Unless of course there's a simple condition that can catch all of them.

This is what I tried and it doesn't work
grok {

match => {
"stacktraces" => "^(?[\w\d:-.()\ $[?]]+)"
}
drop { }
}
}
}

2

you can us add_tag => "drop" on the grok filter and than souround the drop with an if that checks for this tag

grok {
    match => {
        “stacktraces” => “^(?[\w\d:-.()\ $[?]]+)”
    }
    add_tag => [ "drop" ]
}
if "drop" in [tags] {
    drop { }
}
3

reason=>"Expected one of #, input, filter, output at line 25, column 1 (byte 637) after ", :level=>:error, :file=>"logstash/agent.rb", :line=>"448", :method=>"create_pipeline"}

4

I'm I missing something here?

5

Gotcha ... it was supposed to be in the filter. Working now

6

You don't need a grok filter, just wrap a drop filter in a conditional.

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals

7

Magnus

How do I describe the lines because they haven't been through main filters yet. They are stacktrace lines I'm trying to get rid of. What's the best way of describing them so it's dropped before the main filter kicks in. At this point there are no fields.
I can't use
if [blah] in "message"

there's no message field yet.

8

Well, what is in the message then?

9 
    at ac.com.xxx.etrading.xxxxx.pfserver.services.PriceRequestListener.handlePriceRequest(PriceRequestListener.java:117) [pfserver-2.20.3.jar:?]
    at ac.com.xxx.etrading.xxxxx.pfserver.services.PriceRequestListener.onMessage(PriceRequestListener.java:204) [pfserver-2.20.3.jar:?]
    at ac.com.xxx.etrading.xxxxx.pfserver.services.PriceRequestListener.onMessage(PriceRequestListener.java:23) [pfserver-2.20.3.jar:?]
    at ac.com.xxx.etrading.xxxxx.messaging.tum.AbstractTumProtoSubscriber$TumProtoEventListener.go(AbstractTumProtoSubscriber.java:66) [xxxxx-messaging-tum-1.0.21.jar:?]
10

Is this an example of four lines of input or have you joined the lines into a single event?

We can save some time if you give more details. Seeing exactly what an event looks like is a good start. Use a stdout { codec => rubydebug } output to get the raw event.

And why would you want to drop these lines? Anyway, if they enter Logstash at all they are stored in a field and then you can use a conditional to drop them.

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.