Logstash 1.5.0 alternative for filter grep

shartmann · June 15, 2015, 8:52am

Hello,
we used logstash 1.4.2 and will update to 1.5.0. In logstash 1.4.2 we used grep as filter. For logstash 1.5.0 filter grep is never available, I think. Is there any alternative for grep or how can we change our configuration?

Here our config-file:

input {
file {
path => "/var/log/glassfish/server.log"
type => "exceptions"
discover_interval => 10
}
...
}
if [type] == "exceptions" {
grok {
break_on_match => false
type => "exceptions"
match => [
"message", "(?m)[#|%{TIMESTAMP_ISO8601:timestamp}|%{LOGLEVEL}|%{DATA:server_version}|%{JAVACLASS:javaclass}|_ThreadID=%{INT:threadId};_ThreadName=%{USERNAME:threadName};|%{DATA:startException:}Exception:%{DATA:exceptionmessage}#]"
}
#########################

alternative for this part, everything else work

grep {
      type => "exceptions"
      match => [ "tags", "_grokparsefailure" ] negate => true
}

#########################
}
...
}
output {
if [type] == "exceptions" {
elasticsearch {
type => "exceptions"
cluster => "cluster1234"
index => "exceptions"
}
}
...
}

Thanks,
Stefan

yuphing · June 18, 2015, 9:37am

Maybe something like:

filter{
...
        if ([type] == "exceptions" and "_grokparsefailure" in [tags]) {
           mutate { negate => true }
        }
...

shartmann · June 19, 2015, 9:23am

Hi yuphing,

thanks for your reply, this works.

Topic		Replies	Views
Logstash grep and grok Logstash	4	1253	November 15, 2020
Grok filter if [type] Logstash	5	6103	January 16, 2017
Error in Logstash conditional expression Logstash	5	1280	March 8, 2018
Grok filter for log files in logstash Logstash	14	2479	February 7, 2020
_grokparsefailure in Logstash? Logstash	1	508	February 10, 2017

Logstash 1.5.0 alternative for filter grep

alternative for this part, everything else work

Related topics