bvoros
May 29, 2024, 10:58am
1
Hello all,
I would like to match and drop the following documents but my filter fails to match these. I am trying to match against the "message" field, could or should I match against the "event" field?
Example doc:
{
"_index": "index-2024.05.29",
"_id": "jN3mw48BcV4jg42Il86T",
"_version": 1,
"_score": 0,
"_source": {
"@timestamp": "2024-05-29T10:30:20.125368176Z",
"data": null,
"event": {},
"@version": "1",
"message": "\n"
},
"fields": {
"@timestamp": [
"2024-05-29T10:30:20.125Z"
],
"message.keyword": [
"\n"
],
"@version": [
"1"
],
"@version.keyword": [
"1"
],
"message": [
"\n"
]
}
}
and the relevant filter:
if [message] == "\\n" or [message] == "" or ![message] {
drop {}
}
yago82
May 29, 2024, 11:06am
2
bvoros:
Hello all,
I would like to match and drop the following documents but my filter fails to match these. I am trying to match against the "message" field, could or should I match against the "event" field?
Example doc:
{
"_index": "index-2024.05.29",
"_id": "jN3mw48BcV4jg42Il86T",
"_version": 1,
"_score": 0,
"_source": {
"@timestamp": "2024-05-29T10:30:20.125368176Z",
"data": null,
"event": {},
"@version": "1",
"message": "\n"
},
"fields": {
"@timestamp": [
"2024-05-29T10:30:20.125Z"
],
"message.keyword": [
"\n"
],
"@version": [
"1"
],
"@version.keyword": [
"1"
],
"message": [
"\n"
]
}
}
and the relevant filter:
if [message] == "\\n" or [message] == "" or ![message] {
drop {}
}
Hi,
try this:
if [message] == "\n" or [message] == "" or ![message] {
drop {}
}
Regards
bvoros
May 29, 2024, 11:35am
3
Hello and thank you, unfortunately no change in behaviour, the documents still show up.
bvoros
May 29, 2024, 11:55am
4
As it turns out the solution was to enable escape sequences in logstash.yml.
config.support_escapes: true
Thanks for your help