How to Ignore some messages from Kafka topic when consuming using Logstash

deeps · October 8, 2018, 5:59pm

I have ten's of different messages in a kafka topic. I need to just consume messages that has only "America" in it. I have tried some suggestions available on the blog but no luck, could anyone help?

Flow is App -> Kafka topic -> Logstash consume pipeline and output to local ES.

Sample config:
input {
kafka {
bootstrap_servers => "broker:9093"
security_protocol => "SSL"
ssl_keystore_location => "/etc/logstash/keystore.jks"
ssl_keystore_password => "password"
ssl_truststore_location => "/etc/logstash/truststore.jks"
ssl_truststore_password => "password"
topics => ["topic1"]
codec => "json"
}
}
filter {
json{
source => "message"
}
}
output {
if "America" in [message] {
elasticsearch {
hosts => localhost
manage_template => false
index => "test"
}
}
}

magnusbaeck · October 8, 2018, 7:35pm

Show us an example unwanted document. Copy/paste the raw JSON from Kibana's JSON tab.

deeps · October 8, 2018, 7:38pm

{
"_index": "test",
"_type": "doc",
"_id": "XX",
"_version": 1,
"_score": null,
"_source": {
"meta": {
"message_type": "CREATE_ACCOUNT",
"create_timestamp": "2018-10-02T19:04:12.416Z",
"message_send_time": "2018-10-02T19:04:12.416Z",
"message_id": "XX"
},
"@version": "1",
"@timestamp": "2018-10-08T19:05:26.335Z",
"payload": {
"email": "XX@XX.com",
"last_name": "XX",
"first_name": "XX",
"value": XXOUT",
"id": "XX"
}
},
"fields": {
"@timestamp": [
"2018-10-08T19:05:26.335Z"
],
"meta.message_send_time": [
"2018-10-02T19:04:12.416Z"
],
"meta.create_timestamp": [
"2018-10-02T19:04:12.416Z"
]
},
"sort": [
1539025526335
]
}

deeps · October 8, 2018, 7:49pm

So I have different message_type's. Ex: CREATE_ACCOUNT, DELETE_ACCOUNT
I would like to only consume CREATE_ACCOUNT.

deeps · October 9, 2018, 12:41am

I was trying:

filter {
if [@meta.message_type] == "DELETE_ACCOUNT" { drop{ } }
}

but no luck, any help is appreciated! TIA.

deeps · October 9, 2018, 2:22pm

hey @magnusbaeck could you help when you get chance?

magnusbaeck · October 9, 2018, 6:37pm

filter {
if [@meta.message_type] == "DELETE_ACCOUNT" { drop{ } }
}

Replace [@meta.message_type] with [meta][message_type].

deeps · October 9, 2018, 6:48pm

that did the trick! thanks much! you are the best!! @magnusbaeck

system · November 6, 2018, 6:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Question about logstash and kafka Logstash	13	415	August 6, 2020
Reading from specific Kafka partitions Logstash	3	1130	June 22, 2021
Is it possible to have Output Specific Filter or vice versa in Logstash Logstash	5	291	September 27, 2020
Filter Kafka JSON messages with Logstash grok Logstash	2	1461	December 11, 2017
Logstash 5.1.1 kafka input doesn't pick up existing messages on topic Logstash	1	481	March 3, 2017

How to Ignore some messages from Kafka topic when consuming using Logstash

Related topics