Filter only required logs and send to elastic search

ELK_gj · April 30, 2021, 5:39am

Hi,

My input file contains 10 lines of logs, out of which need to parse only 5 logs based on a string, say example: NAS.
So, out of 10 logs only 5 logs which contains keyword "NAS" should parse and go to elasticsearch.
I couldn't find any suitable filter for this. Can you please help me suggesting a filter.
Thanks in advance.

My log format:

000331 Tue Mar 30 09:21:07 2021 7F9ACBCCC700 INFO  NAS    tasks/nas/nas_proc.c            :0309      Received NAS UPLINK DATA IND from S1AP for ue_id = (1)
000332 Tue Mar 30 09:21:07 2021 7F9ACBCCC700 INFO  NAS-EM tasks/nas/emm/sap/emm_as.c      :0176            EMMAS-SAP - Received primitive EMMAS_DATA_IND (214)
000333 Tue Mar 30 09:21:07 2021 7F9ACBCCC700 INFO  NAS-EM tasks/nas/emm/sap/emm_as.c      :0621               EMMAS-SAP - Received AS data transfer indication (ue_id=0x00000001, delivered=true, length=19)

Badger · April 30, 2021, 3:32pm

If you want to drop any message that does not contain the string "NAS" you could use

if "NAS" not in [message] { drop {} }

If you want to drop any event where [message] does not contain the word "NAS" you could use

if [message] !~ /\bNAS\b/ { drop {} }

system · May 28, 2021, 3:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.