Exclude particular domain name in logstash grok filter section

shan · June 15, 2016, 10:38am

Hi,

I want to exclude the some domain name *.com in my messages while storing into elasticsearch.

How to mention in grok filter section ?

Thanks,

warkolm · June 15, 2016, 10:08pm

You don't do it in grok, you should grok the message and then drop it - https://www.elastic.co/guide/en/logstash/current/plugins-filters-drop.html - using a conditional.

shan · June 16, 2016, 10:47am

Hi,

I have tried like this below but its not work for me.

if [hostname] == "domain name" {
drop { }
}

magnusbaeck · June 20, 2016, 5:44am

Without knowing what the hostname field actually looks like we can't tell what's wrong.

shan · June 22, 2016, 8:31am

Hi,

The hostname field actually looks like *.abc.com

Thanks

magnusbaeck · June 22, 2016, 11:55am

It's literally "*.abc.com" or a string that ends with ".abc.com", like "some-random-hostname.abc.com"? In the latter case use a regexp match conditional:

if [hostname] =~ /\.abc\.com$/ {
  drop { }
}

Topic		Replies	Views
Parsing logs for specific domain Logstash	2	553	July 6, 2017
Configuration of Logstash to remove domain from URL Logstash	3	389	July 6, 2022
Make optional character part of a defined regex (HOSTNAME)? Logstash	2	983	February 8, 2018
Filter specific Message with logstash before sending to ElasticSearch Logstash	3	2338	July 6, 2017
Logstash filter fields in if conditions Logstash	5	19287	August 25, 2020

Exclude particular domain name in logstash grok filter section

Related Topics