Ingest only ERROR and warning logs to elastic search

rahul_sirugudi · November 23, 2022, 9:07am

Hi I am trying to ingest only ERROR and warning logs to Elasticsearch. Currently filebeat is shipping logs to log stash, i am using grok pattern.

grok {
match => { "message" => "%{IPV4:ip} - \[%{TIMESTAMP_ISO8601:timestamp}\] - %{GREEDYDATA:message} - %{GREEDYDATA:pool} - %{LOGLEVEL:log-level} : %{GREEDYDATA:error-message}" }
}
output {
if [fields][type] == "application_logs"
{
    elasticsearch {
    hosts => ["ip:9200"]
   user => "elastic"
   password => "password"
   index => "application-logs"
   }
 if "ERROR" in [log-level]
{
   stdout { codec => rubydebug }
  }

}
}

This above pattern is showing all logs including INFO. What can be done here?

Badger · November 23, 2022, 8:06pm

Try wrapping your elasticsearch output in something like

if [log-level] in [ "ERROR", "WARN" ] {
    ...
}

rahul_sirugudi · November 24, 2022, 4:55am

Thanks Tried that, it worked i have to make few changes to file.

grok {
match => { "message" => "%{IPV4:ip} - \[%{TIMESTAMP_ISO8601:timestamp}\] - %{GREEDYDATA:message} - %{GREEDYDATA:pool} - %{LOGLEVEL:log-level} : %{GREEDYDATA:error-message}" }
}
output {
if [fields][type] == "application_logs"
{
 if [log-level] in [ "ERROR", "WARN" ]
{
   stdout { codec => rubydebug }
  }
    elasticsearch {
    hosts => ["ip:9200"]
   user => "elastic"
   password => "password"
   index => "application-logs"
   }


}
}
}

Topic		Replies	Views
Using Logstash, not able to filter Error Level while indexing to elastic search Logstash	2	916	August 10, 2020
How may I get only ERROR related logs from my stack trace? Logstash	5	1715	September 17, 2018
Grok for code to get formatted output Logstash	15	1314	July 6, 2017
How can I Filter Error logs Logstash	1	296	December 30, 2019
Using logstash, How to filter Errors only from logs? Logstash	10	15249	November 4, 2022

Ingest only ERROR and warning logs to elastic search

Related topics