Logstash Grep and Drop

Jackal9301 · November 23, 2015, 2:53pm

I have an old conf file my predecessor made with grep in it for logstash. Under that is the Drop command. What can I use as the equivalent to make it still work the same way?

if [SourceModuleName] == 'eftxferlogs' {

    grok {
        match => [ 'message', '%{TIMESTAMP_ISO8601:EventTime} %{IPORHOST:FTPClientIpAddress} - %{NOTSPACE:FTPUserName} %{NAGIOSTIME}(?<FTPCommand>%{WORD} %{NOTSPACE}) - %{NOTSPACE:FTPStatusCode} %{NOTSPACE:FTPDownloadedBytes} %{NOTSPACE:FTPUploadedBytes} %{NOTSPACE:FTPServerIP} %{NOTSPACE:FTPServerPort}' ]
    }

    date {
        match => [ 'EventTime', 'YYYY-MM-dd HH:mm:ss' ]
        timezone => 'UTC'
    }

    dns {
        reverse => [ 'host' ]
        action => 'replace'
    }

    # Tag all sent/downloaded files
    #
    grep {
        match => [ 'FTPCommand', '^sent.*$' ]
        add_tag => 'sent_file'
        drop => 'false'
    }

Is the Drop command the same as break_on_match?

Instead of using grep in the old config which is obviously broken since I updated logstash I need to find something that will serve the same purpose.

Thanks,
Jack

magnusbaeck · November 23, 2015, 3:23pm

if [FTPCommand] =~ /^send.*$/ {
  mutate {
    add_tag => 'sent_file'
  }
}

Jackal9301 · November 23, 2015, 3:31pm

replace the grep portion with this?

magnusbaeck · November 24, 2015, 6:52am

Yes, that's right.