Hello there
I have apache logs in which are documents that I want to remove completely. Whole documents not fields so I do not want to use remove_field in mutate.
I have tried drop:
filter {
if "field_name" == "exact_value" {
drop {}
}
}
so it looked like this in final:
filter {
if "url.original" == "/im/nagios.plc" {
drop {}
}
}
But it will not work, the documents are still there.
I have also tried drop { } with space inside.
I have tried [url.original] and [url.original] ==>
Logs of logstash will not show any problems.
I prefer not to create tags and then delete the documents with tags but if there will be no other way I will do it
Is url.original a field with a period in its name, or is it a url object that contains an original field, in which case you should refer to it as [url][original] in logstash?
It is unfortunately field with period. That is why I finally chose to put it in " " instead of brackets.
And for this particular value is exactly: /im/nagios.plc
I did not know if REGEX will work, so I chose exact value.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.