Forward only ERROR or Warn log lines to Splunk

Shivhare · May 14, 2020, 6:36am

Need your expert advise on how can I configure my logstash.conf file to forward only the ERROR OR WARN log lines to Splunk. I have done some online research that a grok filter or wrapping the output with if condition can be used in order the acheive the required result.

I prefer not to send the data with INFO OR DEBUG logging levels to Splunk, therefore, looking forward to getting some clean solution to implement it in logstash config file to control the data which is sent to Splunk.

Please advise how logstash.conf should be updated to achieve the required result.

I would appreciate if you could share a working example on the same.

Many thanks!

warkolm · May 14, 2020, 7:08am

Costing a bit too much is it

If you have a field that you've extracted with grok, you can then use a drop filter with a conditional to drop the non error or warning logs. What that looks like depends on your log format.

Shivhare · May 14, 2020, 7:25am

Exactly, the cost is insane.

Ok, thank you very much for your help. I will check. Would it be possible without grok? Please can you advise if the below will work.

If [level] =="ERROR OR [level]=="WARN" {

Output { ----
}

}

I am not clear on the keyword level here, is that already defined in logstash?

Thanks!

warkolm · May 14, 2020, 8:13am

If the level field is not separate to Logstash, it wont be able to do this without grok.

Don't forget you can put all this in Elasticsearch too!

Shivhare · May 14, 2020, 8:27am

Thanks Mark! Much appreciated.

system · June 11, 2020, 8:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.