Filter Not Working (Version 2.3.1)

VenkataMR · May 1, 2016, 3:29pm

New to Logstash, was trying to filer certain messages which have matching either of INFO, ERROR, WARNING and having time stamp in certain format only. I don't want any other message by having bellow filter.

filter { date { match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ] } grok { match => [ "message" , "INFO" ] } grok { match => [ "message" , "ERROR" ] } grok { match => [ "message" , "WARNING" ] } }
But i see messages like below were as well getting filtered.
qqqqqqqqqqqqqqqqqqqqqqqqq or aaaaaaaaaaaaaaaaaaaaaaa

Something missing in the filter?

Thanks

warkolm · May 1, 2016, 10:28pm

So you don't want messages with INFO/ERROR?WARNING, and with that date format to be processed?

VenkataMR · May 2, 2016, 2:05am

I want messages which contain INFO or ERROR or WARNING or having timestamp to be filtered to output. Rest all messages should be stopped for writing to output stream.

VenkataMR · May 5, 2016, 12:51pm

Any issue with the configuration

fbaligand · May 5, 2016, 5:09pm

grok is useful to transform an unstructured message to a document.
It's not done to remove some messages.

If you want to do that :

if [message] !~ "INFO|WARNING|ERROR" {
  drop{}
}