Using the exclude_lines option

According to the documenation I should be able to use the "exclude_lines" option to filter specific events.

I've setup my filebeat.yml to exclude any entries that start with my load balancer IP, but they still forward to logstash.

  paths:
    - /var/log/httpd/access_log
  document_type: apache-access
  exclude_lines: ["^192.168.1.5"]

What am I doing wrong?

Just to be sure, you are on filebeat 1.1.0, right? The config looks good to me.

Thanks Tudor

I just did a yum repo check and found that it was still on 1.01 and 1.1 was available. Oddly I had checked this earlier to day and it said I was up to date...although I didn't check the version number.

Short answer: yup this was the issue and applying the 1.1 update fixed it.

Cool, that's because we just released 1.1 about two hours ago :slight_smile:

lol, awesome timing then!

Hi,
A log file have INFO/DEBUG/ERROR. But i want to exclude debug logs to forward, but still its forwarding.
Using filebeat-5.0.0-alpha3
exclude_lines: ["^DEBUG"]

Example json log:
{"@logdate":"2016-07-05T15:15:50.772+05:30","message":"methodName()","logger_name":"com.app","thread_name":"main","level":"DEBUG","fileType":"test"}

is the exclude config correct?