Passing only loglevel ERROR FROM LOG USING GROK FILTRATION

Elastic Stack Logstash
1

Hi

I'm new to logstash and i need help parsing only error logs when loglevel == error i have tried many filtrations on here and im not getting the result i need.
here is a sample of my error log. i just want to pick any log that contains error on the loglevel as shown below as you can see the message pattern changes thats why i only want to pick only the loglevel error.

172923612 ERROR [WebContainer : 25] uslessattention.nothinghereSODAO 2020-10-17 19:11:12,955 - checkCcEnrollednothing: nothing(s) are enrolled for this manmade but not permissioned for user -

173083431 ERROR [WorkManager.7000_WM_lizzard : 5711] uslessattention.nothinghere 2020-10-17 19:13:52,774 - checkCcEnrollednothin: No accounts enrolled for this service -

11473239 ERROR [WebContainer : 4] messagenothinghere.imnotjoiking 2020-10-16 15:22:03,360 - doStartTag(): ~CRITICAL ERROR~ : Please check id headerror => signinId=stress6.test23056@ste.com, nothing=15555555888 -

2

You could extract the loglevel using dissect (or grok) or you could pattern match the line

if [message] !~ /^\d+ ERROR / { drop {} }
3

thanks Badger but doesnt that mean i will have to state all the patterns?

and also this if statement will it be in the output or filtration section?

sorry im asking a silly question this is new to me and im trying to understand it.

4

No, the filter I showed will drop any message unless it begins with a number and the text ERROR. That would keep all of the messages you showed.

You would add that to the filter section.

5

thank you so much Badger

so something like this ??

filter {

 if ([message] !~ /^\d+ ERROR / { drop {} }) 
  
  mutate
  {
    add_field => {"appcode" => "7000"}
  }
}	
output { 

elasticspace.......
   
}
stdout {
codec => rubydebug
}
6

Yes, but you would need to remove the ( and )

7

Thanks so much Basger