Need help to create loglevel field

filter{
if "ERROR" in [LEVEl]{
grok{
match => {·
"message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}"·
}

             }
 }           
 if "DEBUG" in [LEVEl]{
       grok{·····
          match => {·
             "message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}"·
             }
           } 
 }         
 if "CRITICAL" in [LEVEl]{
       grok{····· 
          match => {·
             "message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}"
             }
           } 
 }

 mutate {
         remove_field => [ "@version", "path", "host"]
           }

I do not understand what you are trying to do here. I see nothing that would have created the [LEVEl] field, so I would expect none of the groks to be executed. Also, all of your grok filters look the same, so why not replace that whole filter section with

filter { grok { match => { "message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}" } }

please help me. here I am trying to extract "ERROR", "DEBUG" and "CRITICAL " logs with the help of logstash and add_field which contain loglevel like ("ERROR", "DEBUG" and "CRITICAL") as per its type.
Avoid to send "INFO" logs to output.
Could you please help how can write filter for that?

You could try

filter {
    grok { match => { "message" => "%{TIME:timestamp} %{LOGLEVEL:LEVEL} %{GREEDYDATA:errormsg}" }
    if [LEVEL] == "INFO" { drop {} }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.