Should we use filebeat include_lines to pre-filter messages before sent it to logstash?

atline · April 13, 2023, 9:28am

Usually in logstash we could use next to filter messages:

filter {
    grok {
        match => {
            "message" => "%{TIMESTAMP_ISO8601:logtime}.*] %{NOTSPACE:device}: place acquired by %{NOTSPACE:user}"
        }
    }

So, if we use filterbeat to collect the log and sent to logstash, should we use next in filebeat to filter the log first before sent to logstash? What's the advantage or disadvantage compared to filter them only in logstash? Thanks!

include_lines: ['place acquired by']

system · May 11, 2023, 11:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.