Logstash filter loglevel info warn and error

Elastic Stack Logstash
1

i have this JSON data:
"result": [

    {

        "payload": {

            "context": "default",

            "level": "DEBUG",

            "logger": "org.forgerock.opendj.ldap.CachedConnectionPool",

            "message": "Connection attempt failed: availableConnections=0, maxPoolSize=2",

            "thread": "LDAP SDK Default Scheduler",

            "timestamp": "2022-03-09T07:54:16.939Z",

            "transactionId": null

        },

        "timestamp": "2022-03-09T07:54:16.939328893Z",

        "type": "application/json"

    }

]

i need to index only the data with level (info, warn, error) with logstash, and drop DEBUG one
can someone help ?

2

use drop filter

3

i tried it, but it doesn't work
i tried also
if [result][payload][level] == "DEBUG" {
mutate {
remove_field => [ "level" ] }
}

but it keeps indexing the debug level

4

you data in logstash is real JSON or "message::"{{json string}}" now?

5

I tested it with follow conf:

input {
  file {
    path => "/home/caster/input"
    format => json
  }
}
filter {
  if [loglevel] == "debug" {
    drop { }
  }
}
output {
  file {
    path => "/home/caster/output"
  }
}

when i echo "{"loglevel":"info","id":"1"}" > input, it write to output
when i echo "{"loglevel":"debug","id":"1"}" > input, it not write to output

6

yes it's json format but the level is not in the message field, it's an independent field

"result": [

    {

        "payload": {

            "context": "default",

            "level": "DEBUG",
7

[result] appears to be an array. Try

if [result][0][payload][level] == "DEBUG" {
8

indeed it's an array and it works now.
Thank you Badger for your help)