Logstash filter doesn't appear to be functioning

bmf614zzz · July 14, 2025, 2:13pm

Hello,

Logstash version: 6.8.23

data

message: cmd_logger_api.c(260) 10987641 %% INFO [CLI:backupguy:10.0.1.254] User has logged out
type: rsyslog

Logstash filter:

filter {
if "backupguy" in [message] { drop {} }
}
Problem:

I still seem to be getting the string backupguy in the message field created in Elasticsearch anyone have any ideas why?

Badger · July 14, 2025, 4:33pm

Please show us exactly what the [message] field looks like in either rubydebug or JSON markup. That conditional would fail if [message] is an array (or even a hash), there may be other reasons too.

Rios · July 14, 2025, 4:59pm

Have you restarted LS after added drop?

Also you can use regex
if [message] =~ /backupguy/ {

Topic		Replies	Views
Creating drop filters based on a string search in a message field Logstash	13	39257	November 4, 2022
Dropping logs in logstash Logstash	5	2759	April 28, 2017
Logstash filter not wroking Logstash	7	2172	October 12, 2017
Logstash drop filter is not dropping events Logstash	2	1140	November 4, 2022
Logstash not dropping messages as configured Logstash	6	1276	April 1, 2019

Logstash filter doesn't appear to be functioning

Related topics