Drop event

elk2 · April 9, 2018, 1:18pm

I would like to drop particular events from a log message that coming from a socket input.
How can I do this?

magnusbaeck · April 9, 2018, 1:23pm

Use a drop filter to drop an event and wrap the filter in a conditional to make sure you don't drop all events.

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html

elk2 · April 9, 2018, 2:44pm

Thanks magnusbaeck.
If I use a grok filter like this:

if [type] == "syslog" {

grok {
match => [
"message", ".google."
]
add_tag => "to_drop"
}
}

When grok match I add a tag "to_drop" otherwise no.

It's correct?

magnusbaeck · April 9, 2018, 8:21pm

That depends on what you want to accomplish. Drop all events whose message field contains "google"?

elk2 · April 10, 2018, 9:37am

Yes. It's it. Thanks.

magnusbaeck · April 10, 2018, 9:52am

if "google" in [message] {
  drop { }
}

elk2 · April 11, 2018, 7:58am

Great! How can I log the dropped events? Maybe to check the first time if all work correctly.

magnusbaeck · April 11, 2018, 8:25am

I don't think there's a way of logging dropped events, but instead of dropping them you can add a tag and use the presence of that tag in the output section to conditionally log those events to a file rather than sending them to the usual outputs.

system · May 9, 2018, 8:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to drop event in logstash Logstash	4	2191	September 21, 2018
Logstash drop filter is not dropping events Logstash	2	1119	November 4, 2022
[SOLVED] Drop filter issue Logstash	5	836	July 6, 2017
Drop all grok matches Logstash	10	4038	September 14, 2017
Logstash Drop Filter Logstash	4	421	May 2, 2018

Drop event

Related topics