Logstash translate filter for multiple fields

bijay · November 15, 2018, 8:51am

Hi,

I want to drop the logs based on multiple fields.

Below is the content of drop.yml

logstash : '{"info": "drop"}'

e.g. I want to drop the loglines which has contain the "component" : "logstash" and "severity": "info"

I want to do this dynamically.

    translate {
        field => "component"
        destination => "logstat"
        dictionary_path => "/tmp/drop.yml"
    }
    json {
        source => "logstat"
        target => "severity"
    }
    if [target] == "drop" {
        drop { }
    }

The input logline:

{"nodetype":"haproxy","ssinst":"001","component":"logstash","severity":"info","logsource":"log"}
{"nodetype":"haproxy","ssinst":"001","component":"logstash","severity":"debug","logsource":"log"}
{"nodetype":"haproxy","ssinst":"001","component":"logstash","severity":"error","logsource":"log"}
{"nodetype":"haproxy","ssinst":"001","component":"kafka","severity":"error","logsource":"log"}
{"nodetype":"haproxy","ssinst":"001","component":"logstash","logsource":"log"}

bijay · November 15, 2018, 9:32am

This can be done using two translate sections, but I want single source for comparison.

bijay · November 15, 2018, 11:32am

If I want to drop all the logs of a component want to drop based on the condition:

"component":"all":"drop"
or
"component":"info":"drop"

bijay · November 16, 2018, 7:52pm

Can anyone please suggest how to proceed?

Thanks
Bijay

system · December 14, 2018, 7:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.