hi
Please if you can help.
How can we get logstash to log only the lines starting with "central-logging": "true" and ignore rest which we dont need.
{ "central-logging": "true", "log-date": "2020-01-15 11:19:08 UTC", "severity": "INFO", "BuildSetID": "sim-12345678", "Process": "CheckJobInputs", "log-message": "Directory: /images exists"}
If by ignore you mean "discard all other events and not even index them", you can start your filter with a condition to drop the messages that won't match a regexp !~ looking for log contents that start with ^ your desired string. The curly bracket must be escaped \{.
That is:
if [message] !~ /^\{ "central-logging": "true"/ {
drop { }
}
Having said that, if you may want to process the other lines in the future, it may be worth taking a look at the json filter and set conditions depending on the existence or value of "central-logging".
Hi Andres
I have a huge log and i just want to print the line that matches with { "central-logging": "true", withing the message
Thanks
So, either you discard all the other messages (as I have described in my previous comment) or you add a condition in the output section to log only the messages that match =~ your string.
You can see examples in the documentation: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.