Using logstash, How to filter Errors only from logs?

devalkars · March 2, 2016, 11:32am

Hi, I am using logstash in our project, How to filter Errors only from logs ?

i am using below configuration:

input {

file {
path => "D:/apache-tomcat-7.0.67/logs/cpe.log"
start_position => "beginning"
}
}

filter {
grok {
match => { "message" => "%{APACHEERRORLOG}" } #it wont worked for me
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
}
stdout { codec => rubydebug }
}

magnusbaeck · March 2, 2016, 6:44pm

How to filter Errors only from logs ?

It's not clear what this means.

it wont worked for me

What does this mean? Please be explicit. What's the input? What's the actual result? What's the expected result?

devalkars · March 3, 2016, 4:25am

input is log file containing loglevels INFO, ERROR.
i want logs output to be filtered only ERROR loglevels.
below configuration results : pattern %{APACHEERRORLOG} not defined
filter {
grok {
match => { "message" => "%{APACHEERRORLOG}" } #it wont worked for me
}
}

what should be configuration so that i can see only ERROR logs filtered in output.

magnusbaeck · March 3, 2016, 6:31am

input is log file containing loglevels INFO, ERROR.
i want logs output to be filtered only ERROR loglevels.

Either wrap the output in a conditional that look at the field containing the log level,

if [level] == "ERROR" {
  output {
     ...
  }
}

or use a similar conditional that wraps the drop filter (which deletes the current event). See Accessing event data and fields | Logstash Reference [8.11] | Elastic.

below configuration results : pattern %{APACHEERRORLOG} not defined

AFAICT Logstash doesn't ship with pattern with that name. I don't know where you got that pattern name from. However, it does ship with a few other patterns that might be useful to you:

github.com

logstash-plugins/logstash-patterns-core/blob/v2.0.2/patterns/grok-patterns#L95-L97


      
          HTTPD20_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:errormsg}
          HTTPD24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{WORD:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}:tid %{NUMBER:tid}\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_errormessage}:)?( \[client %{IPORHOST:client}:%{POSINT:clientport}\])? %{DATA:errorcode}: %{GREEDYDATA:message}
          HTTPD_ERRORLOG %{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}

devalkars · March 3, 2016, 9:28am

Thanks this solved my problem.

baha1 · June 7, 2017, 1:48pm

Hi community,
i have a log like :17:37:17,103 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].....rest of text.
what is the convenient grok to filter that.
Any help is appreciate.

magnusbaeck · June 7, 2017, 1:57pm

@baha1, please start a new thread for your unrelated question.

baha1 · June 7, 2017, 2:31pm

thank you for answering,this is the link of the new thread.

naga_kunchala · July 25, 2018, 10:41am

i am also have same issue. i want save the only errors in formation for that which filter i need to use

magnusbaeck · July 25, 2018, 11:56am

i am also have same issue. i want save the only errors in formation for that which filter i need to use

Then start a new thread (topic) for your question, and include more details about your configuration and your requirements. The more specific question you ask the more specific and exact replies you'll get.

Topic		Replies	Views
How to filter only error from log file Logstash	10	17013	July 7, 2017
Filter Error logs only Logstash	15	1537	March 14, 2020
Syntax in filter Error log Logstash docker	6	397	March 14, 2020
How to filter Errors only from logs? using logstash Logstash	7	512	August 22, 2018
Passing only loglevel ERROR FROM LOG USING GROK FILTRATION Logstash	7	361	November 25, 2020

Using logstash, How to filter Errors only from logs?

Related topics