I am using Logstash to parse logs which have a keyword ERR in them.
I want to ship these logs to the elastic search, whereas I do not want to
ship the logs which do not contain the word ERR.
So for that, I am using a regex pattern to parse the logs and send them to
the elastic search. It is working fine with the logs that have the word
ERR. But for the logs which dont have it, I get an error and the code gives
an Exception.
I do not want the code to hang, rather I want to skip those logs which done
have ERR.
How do I achieve this with Logstash/Grok?
Please help.
My conf file is:
input {
stdin {
type => "stdin-type"
}
}
filter {
grok {
type => "stdin-type"
patterns_dir=>["./patterns"]
pattern => "%{PARSE_ERROR}"
add_tag=>"%{type1},%{type2},%{slave},ERR_SYSTEM"
}
date
{
replace=>["%{ts}","yyyy/MM/dd-HH:mm:ss.SSS"]
custom_timestamp=>[%{ts}]
}
mutate
{
type=>"stdin-type"
replace => ["@message", "%{message}" ]
}
}
output {
stdout { debug => true debug_format => "json"}
elasticsearch
{
}
}
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
You'd be better off asking this on the logstash mailing list
clint
On 15 May 2013 06:02, Aakash Anuj aakashanuj.iitkgp@gmail.com wrote:
I am using Logstash to parse logs which have a keyword ERR in them.
I want to ship these logs to the Elasticsearch, whereas I do not want to
ship the logs which do not contain the word ERR.
So for that, I am using a regex pattern to parse the logs and send them to
the Elasticsearch. It is working fine with the logs that have the word
ERR. But for the logs which dont have it, I get an error and the code gives
an Exception.
I do not want the code to hang, rather I want to skip those logs which
done have ERR.
How do I achieve this with Logstash/Grok?
Please help.
My conf file is:
input {
stdin {
type => "stdin-type"
}
}
filter {
grok {
type => "stdin-type"
patterns_dir=>["./patterns"]
pattern => "%{PARSE_ERROR}"
add_tag=>"%{type1},%{type2},%{**slave},ERR_SYSTEM"
}
date
{
replace=>["%{ts}","yyyy/MM/dd-**HH:mm:ss.SSS"]
custom_timestamp=>[%{ts}]
}
mutate
{
type=>"stdin-type"
replace => ["@message", "%{message}" ]
}
}
output {
stdout { debug => true debug_format => "json"}
elasticsearch
{
}
}
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.