Logstash filter not working

parisila · December 23, 2022, 8:28pm

I have filebeat, logstash and elasticsearch. My logstash config.d looks like this

logstashconfig

02-beats-input.conf receives the message from filebeat
30-elasticsearch-output.conf sends to elasticsearch ingest pipeline. Logstash doesn't do any parsing.
I am trying to implement filters for the various logs but they don't seem to be working.
The 12-system.syslog-filter.conf is like this

I have tried several iterations and snippets from others but I am still getting the messages that I expect to be filtered shown in my Kibana search.

Sorry, I can't post actual code as the system is in a secure environment with no copy out so that is why screenshots

Rios · December 25, 2022, 11:34pm

It's working for me if test with if ("Created slice" in [message]) { ... on the latest LS version.

Have you tried with?
if ([message] =~ /\ACreated slice/ ) { drop {} }

Are you sure that both IFs are working? [event][module] and [fileset][name] ?

Rios · December 26, 2022, 8:29am

One more thing, check are nested fields or with dots. For instance, "event": { "modules": "system" } might be: "event.modules": "system". You will see it in Kibana - JSON view.

Topic		Replies	Views
Logstash pipelines does not take filter Logstash	1	215	December 7, 2020
Log Filtration Issue with Filebeat and Logstash Configuration Logstash	19	695	September 13, 2023
Logstash.conf filter doesn't work Logstash	15	969	October 28, 2020
Filtering question Logstash	11	447	February 5, 2019
Logstash filter doesn't appear to be functioning Logstash	2	43	July 14, 2025

Logstash filter not working

Related topics