How can I exclude / discard those events which the grok filter fails to parse? I would like to just discard such events instead of crashing the service.
They shouldn't crash the service, if they are then there are other problems.
However this should work;
if "_grokparsefailure" in [tags] {
drop { }
}
Thanks @warkolm. This is what I was looking for.