Should we use filebeat include_lines to pre-filter messages before sent it to logstash?

atline · April 13, 2023, 9:28am

Usually in logstash we could use next to filter messages:

filter {
    grok {
        match => {
            "message" => "%{TIMESTAMP_ISO8601:logtime}.*] %{NOTSPACE:device}: place acquired by %{NOTSPACE:user}"
        }
    }

So, if we use filterbeat to collect the log and sent to logstash, should we use next in filebeat to filter the log first before sent to logstash? What's the advantage or disadvantage compared to filter them only in logstash? Thanks!

include_lines: ['place acquired by']

system · May 11, 2023, 11:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to send what you want in filebeat Beats filebeat	5	330	November 29, 2021
Include lines in filebeat Beats filebeat	1	288	March 3, 2020
Filebeat exclude and include lines Beats filebeat	6	4475	June 14, 2019
Filebeat include filter Elasticsearch	2	207	August 2, 2022
Include_lines and exclude_lines not working as expected Beats filebeat	2	690	May 7, 2019

Should we use filebeat include_lines to pre-filter messages before sent it to logstash?

Related topics