Parsing logs for specific domain

himanshudas · April 5, 2016, 7:01pm

I want to parse HAPROXY logs for specific domain(below: abc refers to abc.com) using logstash.This is the filter that i am trying to use inside logstash input:

input {
filter {
if [message] =~ "abc" {
grok {
match => ["message", .......

On the above config, i am specifying to filter logs with abc, however, this doesn't seems to be effective, when i see on ES index, I get to see logs parsed for all different domains along with abc.com, which I don't want.

I want logs only for specific domains(say abc.com to be indexed into ES) and ignore everything apart from
abc.com

Any help would be appreciated here.

magnusbaeck · April 5, 2016, 8:01pm

The syntax is

if [message] =~ /abc/ {

but I'd prefer to unconditionally parse the event with grok and throw it away unless the extracted domain field matches the interesting domain name. Otherwise you'll parse messages that happen to contain that domain name in other parts (although that could be very unlikely).