Parsing logs for specific domain

himanshudas · April 5, 2016, 7:01pm

I want to parse HAPROXY logs for specific domain(below: abc refers to abc.com) using logstash.This is the filter that i am trying to use inside logstash input:

input {
filter {
if [message] =~ "abc" {
grok {
match => ["message", .......

On the above config, i am specifying to filter logs with abc, however, this doesn't seems to be effective, when i see on ES index, I get to see logs parsed for all different domains along with abc.com, which I don't want.

I want logs only for specific domains(say abc.com to be indexed into ES) and ignore everything apart from
abc.com

Any help would be appreciated here.

magnusbaeck · April 5, 2016, 8:01pm

The syntax is

if [message] =~ /abc/ {

but I'd prefer to unconditionally parse the event with grok and throw it away unless the extracted domain field matches the interesting domain name. Otherwise you'll parse messages that happen to contain that domain name in other parts (although that could be very unlikely).

Topic		Replies	Views
Exclude particular domain name in logstash grok filter section Logstash	6	2433	July 6, 2017
Filter specific Message with logstash before sending to ElasticSearch Logstash	3	2338	July 6, 2017
Grok filter add_field Logstash	6	2077	May 19, 2020
Parsing specific values from logs in logstash configuration Logstash	9	984	March 16, 2017
Extract domain with grok Logstash	2	748	January 13, 2022

Parsing logs for specific domain

Related Topics