How to send an email using logstash only if your log message has particular string

HI ,

My requirement is to email the logs that match only a particular sub string in a message .

By removing the if condition in the below code i am able to receive email notification which means the code is working but i need email notification only for the logs that has a particular sub string. Can someone please help me solve it

logstash.conf

input {
file {
path => "/home/c.log"
start_position => "beginning"
}
}
filter {

grok {
match => ["message","%{GREEDYDATA:message}"]

}

}
output {
stdout { codec => rubydebug }
if "java.lang.RuntimeException" in [message] {
email {
from => "##########.com"
body => "Here is the event :%{message} \nLog file: %{path}"
to => "v#######@gmail.com"

    codec => "plain"
    contenttype => "text/plain; charset=UTF-8"

    address => "smtp.gmail.com"
    port => "587"
    authentication => "plain"
    username => "########@gmail.com"
    password => "mypassword"
    use_tls => true
    debug => true
  }

}
}

sample log

Caused by: java.lang.RuntimeException: java.io.IOException: Bad Base64 input character decimal 69 in array position 35

This works for me. If I feed logstash a file which contains several lines of random text plus your sample message I only get the sample message output.

HI badger ,

i tried but its not working have a look at my conf file and console logs

CASE 1 :
logstash.conf
input {
file {
path => "/home/c.log"
start_position => "beginning"
}
}
filter {

grok {

match => ["message","%{GREEDYDATA:message}"]

}
output {
stdout { codec => rubydebug }
if "java.lang.RuntimeException" in [message] {
email {
from => "#########@gmail.com"
body => "Here is the event :%{message} \nLog file: %{path}"
to => "######@gmail.com"
codec => "plain"
contenttype => "text/plain; charset=UTF-8"

address => "smtp.gmail.com"
port => "587"
authentication => "plain"
username => "########@gmail.com"
password => "mypassword"
use_tls => true
debug => true

}
}
}

console output :

{
"path" => "/home/Desktop/a.log",
"message" => [
[0] "Caused by: java.lang.RuntimeException: java.io.IOException: Bad Base64 input character decimal 61 in array position 31",
[1] "Caused by: java.lang.RuntimeException: java.io.IOException: Bad Base64 input character decimal 61 in array position 31"
],
"host" => "desktop",
"@version" => "1",
"@timestamp" => 2019-05-01T13:47:59.015Z
}

here the message field looks like an array and i guess my filter is unable to read from it

but if i change the field name into msg In filter like below

CASE 2:

logstash.output.conf
input {
file {
path => "/home/c.log"
start_position => "beginning"
}
}
filter {

grok {

match => ["message","%{GREEDYDATA:msg}"]

}
output {
stdout { codec => rubydebug }
if "java.lang.RuntimeException" in [msg] {
email {
from => "#######@gmail.com"
body => "Here is the event :%{message} \nLog file: %{path}"
to => "#######@gmail.com"
codec => "plain"
contenttype => "text/plain; charset=UTF-8"

address => "smtp.gmail.com"
port => "587"
authentication => "plain"
username => "#########@gmail.com"
password => "mypassword"
use_tls => true
debug => true

}
}
}

console output :
{
"@timestamp" => 2019-05-01T13:50:31.292Z,
"host" => "desktop",
"msg" => "Caused by: java.lang.RuntimeException: java.io.IOException: Bad Base64 input character decimal 61 in array position 0",
"@version" => "1",
"path" => "/home/Desktop/a.log",
"message" => "Caused by: java.lang.RuntimeException: java.io.IOException: Bad Base64 input character decimal 61 in array position 0"
}

in this case I am able to get email notifications but i don't think its optimized solution i don't want a additional field un necessarily can i get email notifications without adding extra field.

Delete this. It is changing [message] from a string into an array that contains two copies of the same string. That's why your test in the output does not work.

Thanks Badger it helped .

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.