Drop complete row or message

kundan · December 15, 2023, 6:21am

Hi,
I want to drop full row based on one of the field. I am using following in filter.

filter {
        grok {
            match => {"message" => ["%{IP:ip} %{SPACE}\{user:%{USERNAME:UserId}\}"]}
        }
        date {
            locale => "en"
            timezone => "UTC"
            match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss"]
            target => "@timestamp"
        }

        if "ANONYMOUS" in [UserId] {
            drop { }
        }
        else {
           }
        }

When I run, this, all log lines end up in kibana only difference is that all fields like ip and userID are -.

Also I want to process all log files in folder created after specific time. is there any filter for that?

Badger · December 15, 2023, 7:08pm

Only difference between what and what?

system · January 12, 2024, 7:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Creating drop filters based on a string search in a message field Logstash	13	38914	November 4, 2022
Ignore a specific or drop a field when using another Grok Pattern Logstash	4	860	May 18, 2021
Grok filter confusion - Am I missing something? Logstash	9	4080	July 6, 2017
Drop filter erros Logstash	5	128	June 14, 2024
How to drop the following documents? Logstash	3	100	May 29, 2024

Drop complete row or message

Related Topics