Hi,
I'm trying to build a logstash filter to drop message that contains dollar at the end of string.
I'm receiving log from a domain controller and I would like to get message that has in the field "user.name" only real person so without dollar in the username.
I'm using last version of ELK stack.
Could you help me please?
Thank you.
if "$" in [message] { drop { } }
Try something like that. If it contains a $ it should drop the message.
Thank you aaron, I tried but it did not works.
input {
generator {
lines => [
"aaron.nimocks",
"drop.this$",
"davide.stallone"
]
count => 1
}
}
filter {
if "$" in [message] { drop { } }
}
output {
stdout { codec => "rubydebug" }
}
Here is what I ran to test it. It drops the middle record that has a $ in it.
I made new conf file with your code, How can I use it now?
Thx
Did you adjust his example for your use case and replace [message] with [user][name] or did you just take it the way it was?
Hi Jenni,
I also tried your way and the follow ways:
if ([message] =~ "$") {
mutate {
add_field => { "hello" => "world" }
} "using this one I have added field in all messages"
if ([user.name] =~ "$") {
mutate {
add_field => { "hello" => "world" }
} "the same"
the field message contains all data than also contains user.name field.
Ok, I found How to use it
@davide.stallone glad you got it working! 
Thank you very much!!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.