Logstash skips first lines and start reading from second line

Pranjal_Sett · April 11, 2022, 2:56pm

Hi All,

This is below my sample logs.

[2022-03-09T22:38:03.296+01:00] [String] [NOTIFICATION:16] [ODL-52001] [FileLogWriter] [Oracle] [host: *] [nwaddr: *] [tid: [ACTIVE].ExecuteThread: '157' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: *] deleting log file: diagnostic-42.log, size: 10481909 bytes

[2022-03-09T22:38:03.214+01:00] [STR1] [NOTIFICATION] [logging] [tid: *] [userId: ] [ecid: *,0:10] [APP: soa] [partition-name: D] [tenant-name: G] [WSM_ServiceID: *] [FlowId: *] [policy] [WSM_LogType: Request] [[ XML details]]

So I don't want this first line which is starting [2022-03-09T22:38:03.296+01:00] [String] [NOTIFICATION:16]..... want to drop it and want to keep from second line which is starting [2022-03-09T22:38:03.214+01:00] [STR1] [NOTIFICATION] [logging].......

So, how can I achieve this in logstash.. Shall I write multiple match pattern and drop the first message?

Pranjal_Sett · April 12, 2022, 9:27am

@magnusbaeck , Can you please suggest on that?

leandrojmp · April 12, 2022, 12:09pm

If you do not want a line in your output, you will need to drop it someway.

To do that in Logstash you need a string or field with a specific value to drop that line.

So if you want to drop multiple lines you need to have some common value on those lines or write a conditional that match each one of them.

For example, you can drop something with the following configuration in the filter block.

if "string to match" in [message] { drop {} }

Pranjal_Sett · April 12, 2022, 12:23pm

Hello @leandrojmp ,

Yes... It worked.. Thanks a lot.

system · May 10, 2022, 12:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.