Exclude particular domain name in logstash grok filter section

shan · June 15, 2016, 10:38am

Hi,

I want to exclude the some domain name *.com in my messages while storing into elasticsearch.

How to mention in grok filter section ?

Thanks,

warkolm · June 15, 2016, 10:08pm

You don't do it in grok, you should grok the message and then drop it - https://www.elastic.co/guide/en/logstash/current/plugins-filters-drop.html - using a conditional.

shan · June 16, 2016, 10:47am

Hi,

I have tried like this below but its not work for me.

if [hostname] == "domain name" {
drop { }
}

magnusbaeck · June 20, 2016, 5:44am

Without knowing what the hostname field actually looks like we can't tell what's wrong.

shan · June 22, 2016, 8:31am

Hi,

The hostname field actually looks like *.abc.com

Thanks

magnusbaeck · June 22, 2016, 11:55am

It's literally "*.abc.com" or a string that ends with ".abc.com", like "some-random-hostname.abc.com"? In the latter case use a regexp match conditional:

if [hostname] =~ /\.abc\.com$/ {
  drop { }
}

Topic		Replies	Views
Parsing logs for specific domain Logstash	2	553	July 6, 2017
Grok filter add_field Logstash	6	2080	May 19, 2020
How can I drop the domain from host.name field in logstash? Logstash	4	582	April 9, 2021
Drop logs from particular hostname Logstash	4	1270	July 24, 2018
Configuration of Logstash to remove domain from URL Logstash	3	392	July 6, 2022

Exclude particular domain name in logstash grok filter section

Related topics