Drop message,but still write into elasticsearch

I was confused,because i drop some message in the filter,it really not out put in the stdout ,but it still write into the elasticsearch .
here is my config, help me ,please

filter {
if "GET" in [message] {
drop { }
}
grok {
match => [ "message",'%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY} %{TIME:request_time} %{IP:client_ip_address} ["]%{WORD:method} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}["] (?<status_code>%{NUMBER}|-) (?<response_lenth>%{NUMBER}|-) (?<total_time>%{NUMBER}|-) (?<cu_time>%{NUMBER}|-) (?<inside_code>%{NUMBER}|-) (?<cu_server>%{IP}:%{NUMBER}|-) (?%{WORD}|-) (?%{WORD}|-) (?<task_config>"."|"-") (?<sdk_version>[3-5].|-)' ]
}
geoip {
source => "client_ip_address"
target => "geoip"
database => "/xxxx/logstash-5.4.3/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
output {
elasticsearch {
hosts => ["http://xxxxxxx"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
user => "xxxx"
password => "xxxx"
}
stdout { codec => rubydebug }
}

Is it showing in stdout as well?

no,that is why i don't understand

You can remove all that add_field stuff and the convert, it's just noise that does nothing.

What does one of the messages that doesn't get dropped look like?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.