Hello,

I'm trying to filter some empty messages sent from badly formated logs. By empty i mean they can contain just an unknown number of newlines charachters and/or just some spaces.

i tried something like that :

grok {
    tag_on_failure => []
    match => { "message" => [ "^$", "^\s+$" ] }
    keep_empty_captures => false
    add_tag  => [ "msg_is_empty" ]
  }

I must precise that the multiline concatenation is handled by filebeats.

Results :

It seams that any newline is actually matched by the grok pattern.
As i understand it, it's because grok is not multiline aware but i can't see how to configure it properly to make it works.

Any thoughts ?

How about this:

if [message] =~ /^\s*$/ {
  drop { }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.