Filters empty messages

webofmars · December 8, 2016, 5:16pm

Hello,

I'm trying to filter some empty messages sent from badly formated logs. By empty i mean they can contain just an unknown number of newlines charachters and/or just some spaces.

i tried something like that :

grok {
    tag_on_failure => []
    match => { "message" => [ "^$", "^\s+$" ] }
    keep_empty_captures => false
    add_tag  => [ "msg_is_empty" ]
  }

I must precise that the multiline concatenation is handled by filebeats.

Results :

It seams that any newline is actually matched by the grok pattern.
As i understand it, it's because grok is not multiline aware but i can't see how to configure it properly to make it works.

Any thoughts ?

magnusbaeck · December 8, 2016, 5:37pm

How about this:

if [message] =~ /^\s*$/ {
  drop { }
}

system · January 5, 2017, 5:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok Filter does not work with a newLine Logstash	5	2071	July 6, 2017
Collecting multiline message from http input Logstash	2	932	September 23, 2018
GROK FILTER NOT WORKING WITH MULTILINE UNSTRUCTURED MESSAGE Logstash	24	4397	April 12, 2019
How do I match a newline in grok/logstash Logstash	13	16450	July 6, 2017
Need to parse multi-lines log message Logstash	4	122	May 27, 2024

Filters empty messages

Results :

Related Topics