Need your expert advise on how can I configure my logstash.conf file to forward only the ERROR OR WARN log lines to Splunk. I have done some online research that a grok filter or wrapping the output with if condition can be used in order the acheive the required result.
I prefer not to send the data with INFO OR DEBUG logging levels to Splunk, therefore, looking forward to getting some clean solution to implement it in logstash config file to control the data which is sent to Splunk.
Please advise how logstash.conf should be updated to achieve the required result.
I would appreciate if you could share a working example on the same.
If you have a field that you've extracted with grok, you can then use a drop filter with a conditional to drop the non error or warning logs. What that looks like depends on your log format.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.