How to Ignore some messages from Kafka topic when consuming using Logstash

deeps · October 8, 2018, 5:59pm

I have ten's of different messages in a kafka topic. I need to just consume messages that has only "America" in it. I have tried some suggestions available on the blog but no luck, could anyone help?

Flow is App -> Kafka topic -> Logstash consume pipeline and output to local ES.

Sample config:
input {
kafka {
bootstrap_servers => "broker:9093"
security_protocol => "SSL"
ssl_keystore_location => "/etc/logstash/keystore.jks"
ssl_keystore_password => "password"
ssl_truststore_location => "/etc/logstash/truststore.jks"
ssl_truststore_password => "password"
topics => ["topic1"]
codec => "json"
}
}
filter {
json{
source => "message"
}
}
output {
if "America" in [message] {
elasticsearch {
hosts => localhost
manage_template => false
index => "test"
}
}
}

magnusbaeck · October 8, 2018, 7:35pm

Show us an example unwanted document. Copy/paste the raw JSON from Kibana's JSON tab.

deeps · October 8, 2018, 7:38pm

{
"_index": "test",
"_type": "doc",
"_id": "XX",
"_version": 1,
"_score": null,
"_source": {
"meta": {
"message_type": "CREATE_ACCOUNT",
"create_timestamp": "2018-10-02T19:04:12.416Z",
"message_send_time": "2018-10-02T19:04:12.416Z",
"message_id": "XX"
},
"@version": "1",
"@timestamp": "2018-10-08T19:05:26.335Z",
"payload": {
"email": "XX@XX.com",
"last_name": "XX",
"first_name": "XX",
"value": XXOUT",
"id": "XX"
}
},
"fields": {
"@timestamp": [
"2018-10-08T19:05:26.335Z"
],
"meta.message_send_time": [
"2018-10-02T19:04:12.416Z"
],
"meta.create_timestamp": [
"2018-10-02T19:04:12.416Z"
]
},
"sort": [
1539025526335
]
}

deeps · October 8, 2018, 7:49pm

So I have different message_type's. Ex: CREATE_ACCOUNT, DELETE_ACCOUNT
I would like to only consume CREATE_ACCOUNT.

deeps · October 9, 2018, 12:41am

I was trying:

filter {
if [@meta.message_type] == "DELETE_ACCOUNT" { drop{ } }
}

but no luck, any help is appreciated! TIA.

deeps · October 9, 2018, 2:22pm

hey @magnusbaeck could you help when you get chance?

magnusbaeck · October 9, 2018, 6:37pm

filter {
if [@meta.message_type] == "DELETE_ACCOUNT" { drop{ } }
}

Replace [@meta.message_type] with [meta][message_type].

deeps · October 9, 2018, 6:48pm

that did the trick! thanks much! you are the best!! @magnusbaeck

system · November 6, 2018, 6:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Reading from specific Kafka partitions Logstash	3	1123	June 22, 2021
Logstash Filter \|\| Json Message to Split Fields Logstash	3	2118	October 14, 2019
Logstash can not consume messages from kafka Logstash	5	3152	July 6, 2017
Decode kafka message Logstash	1	254	January 19, 2021
Logstash pipeline for kafka message Logstash	4	394	July 27, 2022

How to Ignore some messages from Kafka topic when consuming using Logstash

Related Topics