Need help to create loglevel field

Elastic Stack Logstash
1

filter{
if "ERROR" in [LEVEl]{
grok{
match => {·
"message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}"·
}

             }
 }           
 if "DEBUG" in [LEVEl]{
       grok{·····
          match => {·
             "message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}"·
             }
           } 
 }         
 if "CRITICAL" in [LEVEl]{
       grok{····· 
          match => {·
             "message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}"
             }
           } 
 }

 mutate {
         remove_field => [ "@version", "path", "host"]
           }
2

I do not understand what you are trying to do here. I see nothing that would have created the [LEVEl] field, so I would expect none of the groks to be executed. Also, all of your grok filters look the same, so why not replace that whole filter section with

filter { grok { match => { "message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}" } }
3

please help me. here I am trying to extract "ERROR", "DEBUG" and "CRITICAL " logs with the help of logstash and add_field which contain loglevel like ("ERROR", "DEBUG" and "CRITICAL") as per its type.
Avoid to send "INFO" logs to output.
Could you please help how can write filter for that?

4

You could try

filter {
    grok { match => { "message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}" }
    if [LEVEL] == "INFO" { drop {} }
}
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.