Logstash filter not working

parisila · December 23, 2022, 8:28pm

I have filebeat, logstash and elasticsearch. My logstash config.d looks like this

logstashconfig

02-beats-input.conf receives the message from filebeat
30-elasticsearch-output.conf sends to elasticsearch ingest pipeline. Logstash doesn't do any parsing.
I am trying to implement filters for the various logs but they don't seem to be working.
The 12-system.syslog-filter.conf is like this

I have tried several iterations and snippets from others but I am still getting the messages that I expect to be filtered shown in my Kibana search.

Sorry, I can't post actual code as the system is in a secure environment with no copy out so that is why screenshots

Rios · December 25, 2022, 11:34pm

It's working for me if test with if ("Created slice" in [message]) { ... on the latest LS version.

Have you tried with?
if ([message] =~ /\ACreated slice/ ) { drop {} }

Are you sure that both IFs are working? [event][module] and [fileset][name] ?

Rios · December 26, 2022, 8:29am

One more thing, check are nested fields or with dots. For instance, "event": { "modules": "system" } might be: "event.modules": "system". You will see it in Kibana - JSON view.

system · January 23, 2023, 8:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.