Forward only ERROR or Warn log lines to Splunk

Need your expert advise on how can I configure my logstash.conf file to forward only the ERROR OR WARN log lines to Splunk. I have done some online research that a grok filter or wrapping the output with if condition can be used in order the acheive the required result.

I prefer not to send the data with INFO OR DEBUG logging levels to Splunk, therefore, looking forward to getting some clean solution to implement it in logstash config file to control the data which is sent to Splunk.

Please advise how logstash.conf should be updated to achieve the required result.

I would appreciate if you could share a working example on the same.

Many thanks!

Costing a bit too much is it :wink:

If you have a field that you've extracted with grok, you can then use a drop filter with a conditional to drop the non error or warning logs. What that looks like depends on your log format.

Exactly, the cost is insane. :slight_smile:

Ok, thank you very much for your help. I will check. Would it be possible without grok? Please can you advise if the below will work.

If [level] =="ERROR OR [level]=="WARN" {

Output { ----


I am not clear on the keyword level here, is that already defined in logstash?


If the level field is not separate to Logstash, it wont be able to do this without grok.

Don't forget you can put all this in Elasticsearch too!

Thanks Mark! Much appreciated.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.