Need help to create loglevel field

sushant12 · October 26, 2021, 9:25am

filter{
if "ERROR" in [LEVEl]{
grok{
match => {·
"message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}"·
}

             }
 }           
 if "DEBUG" in [LEVEl]{
       grok{·····
          match => {·
             "message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}"·
             }
           } 
 }         
 if "CRITICAL" in [LEVEl]{
       grok{····· 
          match => {·
             "message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}"
             }
           } 
 }

 mutate {
         remove_field => [ "@version", "path", "host"]
           }

Badger · October 26, 2021, 5:33pm

I do not understand what you are trying to do here. I see nothing that would have created the [LEVEl] field, so I would expect none of the groks to be executed. Also, all of your grok filters look the same, so why not replace that whole filter section with

filter { grok { match => { "message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}" } }

sushant12 · October 27, 2021, 10:15am

please help me. here I am trying to extract "ERROR", "DEBUG" and "CRITICAL " logs with the help of logstash and add_field which contain loglevel like ("ERROR", "DEBUG" and "CRITICAL") as per its type.
Avoid to send "INFO" logs to output.
Could you please help how can write filter for that?

Badger · October 27, 2021, 2:51pm

You could try

filter {
    grok { match => { "message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}" }
    if [LEVEL] == "INFO" { drop {} }
}

system · November 24, 2021, 2:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.