Logstash parse only JSON messages

ArunANayagam · May 31, 2018, 7:36pm

Hi,
I want to parse various different messages being logged into cloudwatch. And I am planning to use logstash-input-cloudwatch-logs plugin.

Now there are a lot of non-json messages written into cloudwatch, I want to ignore all of them. I only want proper json messages to be parsed.

I know that I can use the json filter and drop messages that have a tag of "_jsonparsefailure"

But somehow this feels inefficient, as the attempt to json parse is done and then a decision to drop is made.

Is there a more efficient way to drop non-json messages?

Thanks,
Arun

magnusbaeck · May 31, 2018, 8:57pm

Well, you could use a conditional that drops all events that don't begin with {.

if [message] !~ /^\{/ {
  drop { }
}

ArunANayagam · June 1, 2018, 9:04am

Thank you so much. That helps.

Arun

system · June 29, 2018, 9:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parse json and non-json logs Logstash	2	364	February 28, 2023
Logstash filter plugin Logstash docker	2	495	October 8, 2021
If _jsonparsefailure in [tags] Logstash	4	8796	February 26, 2017
Drop logs when there is a jsonparsefailure Logstash	4	4828	July 6, 2017
Parse json if json else leave as is Logstash	2	1269	July 6, 2017