Drop event

elk2 · April 9, 2018, 1:18pm

I would like to drop particular events from a log message that coming from a socket input.
How can I do this?

magnusbaeck · April 9, 2018, 1:23pm

Use a drop filter to drop an event and wrap the filter in a conditional to make sure you don't drop all events.

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html

elk2 · April 9, 2018, 2:44pm

Thanks magnusbaeck.
If I use a grok filter like this:

if [type] == "syslog" {

grok {
match => [
"message", ".google."
]
add_tag => "to_drop"
}
}

When grok match I add a tag "to_drop" otherwise no.

It's correct?

magnusbaeck · April 9, 2018, 8:21pm

That depends on what you want to accomplish. Drop all events whose message field contains "google"?

elk2 · April 10, 2018, 9:37am

Yes. It's it. Thanks.

magnusbaeck · April 10, 2018, 9:52am

if "google" in [message] {
  drop { }
}

elk2 · April 11, 2018, 7:58am

Great! How can I log the dropped events? Maybe to check the first time if all work correctly.

magnusbaeck · April 11, 2018, 8:25am

I don't think there's a way of logging dropped events, but instead of dropping them you can add a tag and use the presence of that tag in the output section to conditionally log those events to a file rather than sending them to the usual outputs.

system · May 9, 2018, 8:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.