Drop complete row or message

kundan · December 15, 2023, 6:21am

Hi,
I want to drop full row based on one of the field. I am using following in filter.

filter {
        grok {
            match => {"message" => ["%{IP:ip} %{SPACE}\{user:%{USERNAME:UserId}\}"]}
        }
        date {
            locale => "en"
            timezone => "UTC"
            match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss"]
            target => "@timestamp"
        }

        if "ANONYMOUS" in [UserId] {
            drop { }
        }
        else {
           }
        }

When I run, this, all log lines end up in kibana only difference is that all fields like ip and userID are -.

Also I want to process all log files in folder created after specific time. is there any filter for that?

Badger · December 15, 2023, 7:08pm

Only difference between what and what?

Topic		Replies	Views
Drop everything and only filter for specific fileds Logstash	7	1105	September 13, 2017
[SOLVED] Drop filter issue Logstash	5	896	July 6, 2017
Duplicate entries after grok Logstash	3	3240	July 6, 2017
[SOLVED] Drop when a field is equal to Logstash	3	1295	July 6, 2017
Logstash drop filter is not dropping events Logstash	2	1168	November 4, 2022

Drop complete row or message

Related topics