I don't want all data output to the elasticsearch

f26227279 · August 23, 2017, 8:37am

I found that the filter plugin can't filter wrong format message and all data would output to the elasticsearch.
If I want to filter out wrong data let wrong data can't output to the elasticsearch ,how can I do.
this is my conf:

input {
    stdin { }
}
filter {
    if[type]=="syslog"{
       grok {
       match => { "message" => '<%{NONNEGINT:syslog_pri}>%{GREEDYDATA:fgtlogmsg}'
     }
     }	
kv {
      source => "fgtlogmsg"
   }
   syslog_pri { }
  }
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

if I input message such as "123456Test", it also output to the elasticsearch
thank you in advance

tatdat · August 23, 2017, 9:46am

Your mean is drop message, that can't filter by grok?

filter {
	if[type]=="syslog"{
		grok {
			match => { "message" => '<%{NONNEGINT:syslog_pri}>%{GREEDYDATA:fgtlogmsg}'}
		}	
		kv {
			source => "fgtlogmsg"
		}
		syslog_pri { }
	}
	if "_grokparsefailure" in [tag] {
		drop { }
	}
}

Or

output {
	if "_grokparsefailure" not in [tag] {
		elasticsearch { hosts => ["localhost:9200"] }
		stdout { codec => rubydebug }
	}
	
}

f26227279 · August 23, 2017, 10:15am

tatdat,
Thank you this is answer what I want

system · September 20, 2017, 10:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.