How to filter events based on certain string?

amruth · April 8, 2018, 4:35am

Hi,

I am trying to filter out events if it contains either source_type=\”APP/PROC/WEB\” or source_type=APP in the event.

Can someone please help me on this?

Thanks

Badger · April 8, 2018, 4:02pm

If I understand the question correctly then

if [source_type] in [ 'APP', '"APP/PROC/WEB"' ] { drop {} }

amruth · April 8, 2018, 5:22pm

Hi,

But source_type is not a field. Basically, I am trying to search for the entire strings source_type=\”APP/PROC/WEB\” or source_type=APP in [message] field.

Badger · April 8, 2018, 5:54pm

Thanks for clarifying

 if [message] =~ /source_type="APP\/PROC\/WEB"|source_type=APP/ ...

amruth · April 8, 2018, 6:03pm

Thanks for the answer. Can you please say if I have to use escape character \ for double quotes and forward slashes. Please let me know if following is correct.

if [message] =~ /source_type=\"APP\/PROC\/WEB\"|source_type=APP/{
drop{}
}

Badger · April 8, 2018, 7:12pm

Yes for forward slashes, because the right hand side of =~ is a regexp that starts and ends with a forward slash. No for double quotes. If it were a string starting and ending with double quotes rather than a regexp it would be the other way around.

amruth · April 8, 2018, 7:28pm

Thanks Badger. It's working perfectly fine with what I have mentioned above. But if I use another if condition, it's not working,

if [message] =~ /source_type=\"APP\/PROC\/WEB\"|source_type=APP/{
     grok{...}
}
if [message] =~ /event_type=ContainerMetric/{
     grok{...} 
}
else{
     drop{}
}

Please say what I am doing wrong.

Badger · April 8, 2018, 8:17pm

Any message that matches the first if will be dropped if it does not match the second if. Is that what you want? Or did you mean to do if - else if - else?

You do not say what you mean by "not working". What does the message look like (send it to "output { stdout { codec => rubydebug } }" or paste an event from the JSON tab in Kibana. And what do want to have happen? What defines "working"?

amruth · April 9, 2018, 3:29pm

I am looking something like if the event has to be checked with two if conditions else it should be dropped. In my case the moment I remove else statement, I could see events related to 2 conditions in Elasticsearch but when I use else statement, I don't see any messages in Elasticsearch.(Input is from syslog server which continuously flow through udp input plugin )

system · May 7, 2018, 3:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.