Using logstash, How to filter Errors only from logs?

devalkars · March 2, 2016, 11:32am

Hi, I am using logstash in our project, How to filter Errors only from logs ?

i am using below configuration:

input {

file {
path => "D:/apache-tomcat-7.0.67/logs/cpe.log"
start_position => "beginning"
}
}

filter {
grok {
match => { "message" => "%{APACHEERRORLOG}" } #it wont worked for me
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
}
stdout { codec => rubydebug }
}

magnusbaeck · March 2, 2016, 6:44pm

How to filter Errors only from logs ?

It's not clear what this means.

it wont worked for me

What does this mean? Please be explicit. What's the input? What's the actual result? What's the expected result?

devalkars · March 3, 2016, 4:25am

input is log file containing loglevels INFO, ERROR.
i want logs output to be filtered only ERROR loglevels.
below configuration results : pattern %{APACHEERRORLOG} not defined
filter {
grok {
match => { "message" => "%{APACHEERRORLOG}" } #it wont worked for me
}
}

what should be configuration so that i can see only ERROR logs filtered in output.

magnusbaeck · March 3, 2016, 6:31am

input is log file containing loglevels INFO, ERROR.
i want logs output to be filtered only ERROR loglevels.

Either wrap the output in a conditional that look at the field containing the log level,

if [level] == "ERROR" {
  output {
     ...
  }
}

or use a similar conditional that wraps the drop filter (which deletes the current event). See Accessing event data and fields | Logstash Reference [8.11] | Elastic.

below configuration results : pattern %{APACHEERRORLOG} not defined

AFAICT Logstash doesn't ship with pattern with that name. I don't know where you got that pattern name from. However, it does ship with a few other patterns that might be useful to you:

github.com

logstash-plugins/logstash-patterns-core/blob/v2.0.2/patterns/grok-patterns#L95-L97


      
          HTTPD20_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:errormsg}
          HTTPD24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{WORD:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}:tid %{NUMBER:tid}\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_errormessage}:)?( \[client %{IPORHOST:client}:%{POSINT:clientport}\])? %{DATA:errorcode}: %{GREEDYDATA:message}
          HTTPD_ERRORLOG %{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}

devalkars · March 3, 2016, 9:28am

Thanks this solved my problem.

baha1 · June 7, 2017, 1:48pm

Hi community,
i have a log like :17:37:17,103 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].....rest of text.
what is the convenient grok to filter that.
Any help is appreciate.

magnusbaeck · June 7, 2017, 1:57pm

@baha1, please start a new thread for your unrelated question.

baha1 · June 7, 2017, 2:31pm

thank you for answering,this is the link of the new thread.

naga_kunchala · July 25, 2018, 10:41am

i am also have same issue. i want save the only errors in formation for that which filter i need to use

magnusbaeck · July 25, 2018, 11:56am

i am also have same issue. i want save the only errors in formation for that which filter i need to use

Then start a new thread (topic) for your question, and include more details about your configuration and your requirements. The more specific question you ask the more specific and exact replies you'll get.