Logstash filter out log lines

shivendra95 · April 12, 2022, 1:02pm

Hi,
I have json logs that I want to filter based on the message field.

{"@timestamp":"2022-04-05T01:20:50.917+00:00","severity":"INFO","service":"service","pid":"18245","thread":"http-nio-8102-exec-1","class":"class","message":"[ELK] some log data"}

Above is the json object that is being parsed by logstash, I want to write only those logs onto my Elasticsearch index which have [ELK] in the message field and ignore all other logs.

I'm not able to do this through logstash filters, if anyone can guide me it will of great help.

leandrojmp · April 12, 2022, 1:04pm

You just need a conditional.

if "[ELK]" not in [message] {
    drop {}
}

This will drop every event that does not have the string "[ELK]" in the message field.

shivendra95 · April 12, 2022, 1:08pm

Do I need to add this in the filter section like this

filter {
json {
if "[ELK]" not in [message] {
    drop {}
}
}

leandrojmp · April 12, 2022, 1:11pm

It is in the filter section, but it is not inside the json filter, you need to put it after you parse the message.

filter {
    if "[ELK]" not in [message] {
        drop {}
    }
}

shivendra95 · April 12, 2022, 1:25pm

Thanks for the help. It's now working as I wanted.

KALAVATHI_YALAMANCHA · May 4, 2022, 3:11am

Hi All,

Can somebody please help to check why the below error while using cipher_kms filter

ipeline error {:pipeline_id=>"main", :exception=>#<NoMethodError: undefined method blank' for nil:NilClass>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-cipher_kms-0.1.3/lib/logstash/filters/cipher_kms.rb:234:in init_cipher'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-cipher_kms-0.1.3/lib/logstash/filters/cipher_kms.rb:131:in register'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:75:in register'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:232:in block in register_plugins'", "org/jruby/RubyArray.java:1821:in each'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:231:in register_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:594:in maybe_setup_out_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:244:in start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:189:in run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:141:in `block in start'"], "pipeline.sources"=>["/usr/share/logstash/pipeline/logstash.conf"], :thread=>

system · June 1, 2022, 3:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter for log4j logs inorder to parse messages from logs Logstash	5	8964	February 22, 2017
How to use the JSON filter correctly? Logstash	14	1772	August 25, 2023
Filter JSON message in kibana Kibana	2	3970	October 4, 2022
Why is this logstah filter not working as intended? Logstash	2	290	September 13, 2020
Json { source => "message" } not parsing all of it Logstash	21	1603	March 22, 2022

Logstash filter out log lines

Related Topics