Logstash filter not working

parisila · December 23, 2022, 8:28pm

I have filebeat, logstash and elasticsearch. My logstash config.d looks like this

logstashconfig

02-beats-input.conf receives the message from filebeat
30-elasticsearch-output.conf sends to elasticsearch ingest pipeline. Logstash doesn't do any parsing.
I am trying to implement filters for the various logs but they don't seem to be working.
The 12-system.syslog-filter.conf is like this

I have tried several iterations and snippets from others but I am still getting the messages that I expect to be filtered shown in my Kibana search.

Sorry, I can't post actual code as the system is in a secure environment with no copy out so that is why screenshots

Rios · December 25, 2022, 11:34pm

It's working for me if test with if ("Created slice" in [message]) { ... on the latest LS version.

Have you tried with?
if ([message] =~ /\ACreated slice/ ) { drop {} }

Are you sure that both IFs are working? [event][module] and [fileset][name] ?

Rios · December 26, 2022, 8:29am

One more thing, check are nested fields or with dots. For instance, "event": { "modules": "system" } might be: "event.modules": "system". You will see it in Kibana - JSON view.

system · January 23, 2023, 8:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Log Filtration Issue with Filebeat and Logstash Configuration Logstash	19	508	September 13, 2023
Logstash.conf filter doesn't work Logstash	15	891	October 28, 2020
Grok filter is not working Logstash	4	12310	July 6, 2017
Logstash pipelines does not take filter Logstash	1	201	December 7, 2020
Filtering on beats fields issue Logstash	7	2211	September 5, 2017

Logstash filter not working

Related topics