Remove a line block according to a certain string value

I am new with ELK and I am trying to skip/remove a line block according to a certain string value from a grok tag.

2015-05-21 18:53:20,560 -3- [Class] A certain string
2015-05-21 18:53:20,560 -3- [Class]    Col1    Col2    Col3    Col4    Col5    Col6    Col7    Col8    Col9   Col10    Col11 Class
2015-05-21 18:53:20,560 -3- [Class]       0       0      96       0       0     234   21351       0      64     473     6172 com.class1
2015-05-21 18:53:20,560 -3- [Class]       0       0    5467       0       0       0       1       0       0       4      226 com.class2
2015-05-21 18:53:20,560 -3- [Class]       0       0      36       0       0       0       0      65     428    7727    15435 com.class3
2015-05-21 18:53:20,560 -3- [Class]       0       0  377841       0       0       0       4       0       0       1      402 com.class4
2015-05-21 18:53:20,560 -3- [Class]       0       0      33       0       0       0       1       0       1       6       52 com.class5
2015-05-21 18:53:20,560 -3- [Class]       0       0     796       0       0       0       1       0       2      24     1662 com.class6
2015-05-21 18:53:20,560 -3- [Class]       0       0  531205       0       0       0       4       0       0     102    23115 com.class7
2015-05-21 18:53:20,560 -3- [Class]       0       0   75534       0       0       0       1       0       0      21      246 com.class2
2015-05-21 18:53:20,560 -3- [Class]       0       0   12413       0       0       0       1       0       6    1822    85529 com.class1
2015-05-21 18:53:20,560 -3- [Class] Another String
2015-05-21 18:53:20,560 -3- [Class]    Col1    Col2    Col3    Col4    Col5    Col6    Col7    Col8    Col9   Col10    Col11 Class
2015-05-21 18:53:20,560 -3- [Class]       0       0      96       0       0     234   21351       0      64     473     6172 com.class1
2015-05-21 18:53:20,560 -3- [Class]       0       0    5467       0       0       0       1       0       0       4      226 com.class2
2015-05-21 18:53:20,560 -3- [Class]       0       0     796       0       0       0       1       0       2      24     1662 com.class6
2015-05-21 18:53:20,560 -3- [Class]       0       0  531205       0       0       0       4       0       0     102    23115 com.class7
2015-05-21 18:53:20,560 -3- [Class]       0       0   75534       0       0       0       1       0       0      21      246 com.class2
2015-05-21 18:53:20,560 -3- [Class]       0       0   12413       0       0       0       1       0       6    1822    85529 com.class1

this example show you the issue which I am facing to. The first line contain "A certain string" and I need to remove all lines after this line until logstash meet the line 12 where "A certain string" is changing in "Another String". Is it possible to do this? Thx

After using grok to match the lines with the string you want to keep, tag them using add_tag . Below your grok, write an if statement, checking if the line has been tagged and dropping everything else that isn't.

if "taggedLine" not in [tags] {
drop {}
}

Hello Ryan. Thank you for your help. I tried it before but I cannot differentiate lines between:
2015-05-21 18:53:20,560 -3- [Class] A certain string

and after:
2015-05-21 18:53:20,560 -3- [Class] Another String

I just want to keep lines after " 2015-05-21 18:53:20,560 -3- [Class] Another String " and drop lines before it. That's why it is a little bit more complicate I think

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.