Drop message,but still write into elasticsearch

zhangheng · August 10, 2017, 12:49pm

I was confused,because i drop some message in the filter,it really not out put in the stdout ,but it still write into the elasticsearch .
here is my config, help me ,please

filter {
if "GET" in [message] {
drop { }
}
grok {
match => [ "message",'%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY} %{TIME:request_time} %{IP:client_ip_address} ["]%{WORD:method} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}["] (?<status_code>%{NUMBER}|-) (?<response_lenth>%{NUMBER}|-) (?<total_time>%{NUMBER}|-) (?<cu_time>%{NUMBER}|-) (?<inside_code>%{NUMBER}|-) (?<cu_server>%{IP}:%{NUMBER}|-) (?%{WORD}|-) (?%{WORD}|-) (?<task_config>"."|"-") (?<sdk_version>[3-5].|-)' ]
}
geoip {
source => "client_ip_address"
target => "geoip"
database => "/xxxx/logstash-5.4.3/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
output {
elasticsearch {
hosts => ["http://xxxxxxx"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
user => "xxxx"
password => "xxxx"
}
stdout { codec => rubydebug }
}

warkolm · August 10, 2017, 9:05pm

Is it showing in stdout as well?

zhangheng · August 10, 2017, 10:51pm

no,that is why i don't understand

warkolm · August 11, 2017, 1:09am

You can remove all that add_field stuff and the convert, it's just noise that does nothing.

What does one of the messages that doesn't get dropped look like?

system · September 8, 2017, 1:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.