How to drop multiple message names using filebeat

balamelangi · January 24, 2019, 8:18am

Hi,

Please some one help me how to drop lines using filebeat. My code is,

 processors: 
  - drop_event: 
      when: 
        contains: 
          message: ["AbstractLoggingWriter", "WARN"]

and

 processors: 
  - drop_event: 
      when: 
        contains: 
          message: 
            - AbstractLoggingWriter
            - WARN

and

I'm getting both logs :
2019-01-24 08:08:30,291 WARN OSS com.pronto.util.CacheErrorMessage.getMessage(CacheErrorMessage.java:97) - Error Message id - ' wisp id : 16, franchisee id : 1527577560571, location id : 1527592878683, messageCode : CustomerFUPInfo' is Null.
2019-01-24 07:47:18,912 ERROR stderr org.jboss.stdio.AbstractLoggingWriter.write(AbstractLoggingWriter.java:71) - In TemplateProvider.locate()
2019-01-24 07:47:18,912 ERROR stderr org.jboss.stdio.AbstractLoggingWriter.write(AbstractLoggingWriter.java:71) - DD.ServiceClass: org.apache.soap.providers.StatelessEJBProvider

By using above code I'm unable to drop_lines containing.

But If I try to below :

 processors: 
  - drop_event: 
      when: 
        contains: 
          message: "AbstractLoggingWriter"

drops all the messages containing AbstractLoggingWriter . I want to block or drop lines containing AbstractLoggingWriter and WARN. Please some one help me.

Thanks.

shrikantgulia · January 24, 2019, 9:57am

Hello @balamelangi,

Use this to exclude lines

exclude_lines: ['AbstractLoggingWriter']

Hope this works for you

Regards
Shrikant

balamelangi · January 24, 2019, 10:07am

Thanks for your reply @shrikantgulia .

I'm using 5.6.14 version filebeat. So, I think exclude_lines option is not working.

 processors: 
  - drop_event: 
      when: 
        contains: 
          message: "AbstractLoggingWriter"

The above one is working. But coming to drop two different words not working. If you know please let me.

Thanks.

shrikantgulia · January 24, 2019, 10:27am

Hello @balamelangi,

I think its the same

https://www.elastic.co/guide/en/beats/filebeat/5.6/configuration-filebeat-options.html

balamelangi · January 24, 2019, 10:36am

No. This is not same.

balamelangi · January 24, 2019, 10:51am

@adrisr can you please help me.

I'm trying to drop events with multiple words like :

   AbstractLoggingWriter  and WARN.

Thanks.

shrikantgulia · January 24, 2019, 10:54am

@balamelangi
can you please add array.

like ["AbstractLoggingWriter", "WARN"]

balamelangi · January 24, 2019, 10:58am

@shrikantgulia
Already I tried :
like ["AbstractLoggingWriter", "WARN"] is not working.

Even AbstractLoggingWriter also not droping.

Thanks.

adrisr · January 24, 2019, 11:43am

What you want is to use "and" in your condition:

processors: 
  - drop_event: 
      when: 
        and:
        - contains: 
            message: AbstractLoggingWriter
        - contains: 
            message: WARN

This will drop all events that contain AbstractLoggingWriter and WARN at the same time.

balamelangi · January 24, 2019, 12:06pm

@adrisr

No. I want WARN and AbstractLoggingWriter is separate logs. Not bot are in one line.

Thanks.

Topic		Replies	Views
Exclude messages with Strings Beats filebeat	3	930	January 11, 2018
Unable to exclude_lines in filebeat Beats filebeat	22	1266	February 20, 2019
Filebeat drop_event Beats filebeat	2	4045	July 5, 2017
Filebeat drop events with multiple words Beats filebeat	6	5236	February 23, 2018
Filbeat exclude and multiline configuration Beats filebeat	2	544	July 13, 2020

How to drop multiple message names using filebeat

Related topics