Remove whole documents with certain value in field

Marta_Zagrajek · October 21, 2019, 1:03pm

Hello there
I have apache logs in which are documents that I want to remove completely.
Whole documents not fields so I do not want to use remove_field in mutate.
I have tried drop:

filter {
      if "field_name" == "exact_value" {
        drop {}
      }
      }

so it looked like this in final:

filter {
      if "url.original" == "/im/nagios.plc" {
        drop {}
      }
      }

But it will not work, the documents are still there.
I have also tried drop { } with space inside.
I have tried [url.original] and [url.original] ==>
Logs of logstash will not show any problems.

I prefer not to create tags and then delete the documents with tags but if there will be no other way I will do it

Thank you for help!

Badger · October 21, 2019, 1:11pm

Is url.original a field with a period in its name, or is it a url object that contains an original field, in which case you should refer to it as [url][original] in logstash?

Marta_Zagrajek · October 21, 2019, 1:17pm

It is unfortunately field with period. That is why I finally chose to put it in " " instead of brackets.
And for this particular value is exactly: /im/nagios.plc
I did not know if REGEX will work, so I chose exact value.

Badger · October 21, 2019, 1:33pm

In that case I would expect that to work.

Marta_Zagrajek · October 21, 2019, 1:40pm

I restarted logstash, refreshed indexes. Nothing.
Maybe I will wait till next index will be created and it will not have this documents?

Marta_Zagrajek · October 22, 2019, 6:19pm

I found the answer. The if statement was good, but I fixed my format of apache logs.

system · November 19, 2019, 6:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.