waelboss
March 10, 2022, 8:50am
1
i have this JSON data:
{
"payload": {
"context": "default",
"level": "DEBUG",
"logger": "org.forgerock.opendj.ldap.CachedConnectionPool",
"message": "Connection attempt failed: availableConnections=0, maxPoolSize=2",
"thread": "LDAP SDK Default Scheduler",
"timestamp": "2022-03-09T07:54:16.939Z",
"transactionId": null
},
"timestamp": "2022-03-09T07:54:16.939328893Z",
"type": "application/json"
}
]
i need to index only the data with level (info, warn, error) with logstash, and drop DEBUG one
waelboss
March 10, 2022, 8:55am
3
i tried it, but it doesn't work
but it keeps indexing the debug level
casterQ
March 10, 2022, 9:02am
4
you data in logstash is real JSON or "message::"{{json string}}" now?
casterQ
March 10, 2022, 10:09am
5
I tested it with follow conf:
input {
file {
path => "/home/caster/input"
format => json
}
}
filter {
if [loglevel] == "debug" {
drop { }
}
}
output {
file {
path => "/home/caster/output"
}
}
when i echo "{"loglevel":"info","id":"1"}" > input, it write to output
waelboss
March 10, 2022, 10:09am
6
yes it's json format but the level is not in the message field, it's an independent field
"result": [
{
"payload": {
"context": "default",
"level": "DEBUG",
Badger
March 10, 2022, 3:50pm
7
[result] appears to be an array. Try
if [result][0][payload][level] == "DEBUG" {
waelboss
March 12, 2022, 9:23am
8
indeed it's an array and it works now.
system
April 9, 2022, 9:23am
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.