Menu
I have a line in my log files that literally just have a semi colon in them. I am assuming it is attached to the previous line. Logstash is constantly printing them, and I want to drop these when ever there is a line that begins with a ;.
This is what logstash prints:
"message" => ";/r"
"@version" => "1"
"@timestamp" => 2014-06-24T15:39:00.655Z,"
"type" => "BCM_Core",
"host => XXXXXXXXXXX",
"Path => XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"tags" => [
[0] "_grokparsefailureZ"
],
"BCM_UTC_TIME" =>"2014-06-24%{time}Z"
I've attempted to use multiline to append to previous line so logstash would stop printing:
multiline{
type => "BCM_Core"
pattern => "\;"
negate => true
what => "previous"
}
but logstash is still printing them out. How can I make logstash drop it?
551
Just use a drop filter to drop any line that starts with ;:
filter {
if ([message] =~ "^;") {
drop {}
}
}
Although based on your output, it really ;/r not ;\r, so you might need to adjust if your output is not just an example.
You can also just drop anything that fails to grok:
if "_grokparsefailure" in [tags] { drop {} }
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
