Logstash remove unwanted fields

Elastic Stack Logstash
1

I am using logstaah 5.6.4
I am trying to parse the below message field in logstash and add a field "error_code" but logstash adds all the fields(bytes, syslog_hostname, method, method2). How to configure logstash to stop adding the unwanted fields?
message: 1332414 Backup hgnmowi88-ben Done 0 16142082 idk-dev-db Prod-Differential hqidwinfmd03-ben

and my logstash confi is below

if [type] == "hostup" {
grok {
match => { "message" => "%{NUMBER:bytes}\s*%{WORD:method}\s*%{SYSLOGHOST:syslog_hostname}\s*%{WORD:method2}\s*%{INT:number}\s*%{INT:number2}\s*%{USERNAME:user_id}\s*%{SYSLOGHOST:syslog_hostname2}"}
add_field => { "error_code" => "%{number}"}
}
}

2

To match and capture into a field use %{PATTERN:field}. To match without capturing into a field use %{PATTERN}.

add_field => { "error_code" => "%{number}"}

Remove this line and replace %{INT:number} with %{INT:error_code}.

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.