Hi!!!
I have several type logs that comes into logstash. And I don't need logs starts from CLIENT_LOG with "event_name": "CraftCard"
I've create script in filter section:
if [message] =~ /^CLIENT_LOG / {
if "event_name: 'CraftCard" in [message]{
noop {
add_tag => "removed_log"
}
}
}
And then in output:
if "removed_log" in [tags]
{
}
else
{
elasticsearch {
host => "myhost.com"
port => 9200
index => "myindex"
protocol => "http"
}
}
Is this good solution or logstash provides solution better? Any ideas?
It seems easier to just use the drop filter. You should also be able to detect the messages you want to drop using a single conditional. This should do:
filter {
if [message] =~ /^CLIENT_LOG .*"event_name": "CraftCard"/ {
drop { }
}
}
(You're not being consistent about the single and double quotes in your example so you might need to adjust the regexp a bit.)
Is the log message in JSON format?
@magnusbaeck
No, It's in format like this:
"CLIENT_LOG: User( ip: 84.202.219.93; user_id: 694419; name: 'Sergey Flannon'; days_in_game: 2; pvp_rating: 0; device_model: 'samsung SM-N910F';). event_name: 'CraftCard'; CraftLevel: 'Level4';"