Logstash not dropping messages as configured

LollerAgent · March 1, 2019, 7:42pm

Can someone please help me understand why the following "drop" filter is not working?

As you can see, the original [message] field is in [json][log][message] but is renamed to [log][message] in the second filter. I have confirmed (by using debug) that Logstash does indeed see the "message" as [log][message], but the filter to drop the message is not working.

  if [json] {
    mutate {
      id           => "filter-move-object-to-log"
      rename => { "[json]" => "[log]" }
    }
  }

  if [log][message] =~ /The client method is deprecated as of redis-rb 4.0.0, please use the new _clientmethod instead/ {
    drop {
      id         => "filter-drop-redis-dep-notice"
    }
  }

Badger · March 1, 2019, 7:57pm

If the message field starts off in [json][log][message] then that rename would move it to [log][log][message], not [log][message]

LollerAgent · March 1, 2019, 9:39pm

Isn't it a bit odd then that a debug output in Logstash shows it at [log][message]?

{
    "@timestamp" => 2019-03-01T18:52:02.918Z,
         "input" => {
        "type" => "docker"
    },
           "log" => {
            "amazon_trace_id" => "123",
                        "pid" => 27,
              "custom_fields" => {},
                      "level" => "info",
        "log_weasel_trace_id" => "123",
                    "message" => "The client method is deprecated as of redis-rb 4.0.0, please use the new _clientmethod instead",

Badger · March 1, 2019, 9:49pm

Seems odd to me.

LollerAgent · March 4, 2019, 2:36pm

Does anyone else here have any ideas? Verified that [log][log][message] doesn't work either:

{
          "id" : "filter-drop-redis-dep-notice",
          "events" : {
            "duration_in_millis" : 0,
            "in" : 0,
            "out" : 0
 },

LollerAgent · March 4, 2019, 2:58pm

UPDATE. This config works:

  if [message] =~ /The client method is deprecated as of redis-rb 4.0.0, please use the new _clientmethod instead/ {
    drop {
      id         => "filter-drop-redis-dep-notice"
    }
  }

So, even though Logstash debug shows the field at [log][message], the rule only succeeds if I specify [message]. Can someone help me understand why?

system · April 1, 2019, 2:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.