发送到ElasticSearch之前,用logstash过滤特定的消息 [英] Filter specific Message with logstash before sending to ElasticSearch
问题描述
我想知道是否可以通过logstash仅向elasticsearch发送特定的日志消息?例如,假设我的日志文件中包含以下消息:
I had like to know if it is possible to send only specific log messages to elasticsearch via logstash? E.G let's say I have these messages in my log file:
2015-08-14 12:21:03 [31946] PASS 10.249.10.70 http://google.com
2015-08-14 12:25:00 [2492] domainlist \"/etc/ufdbguard/blacklists\
2015-08-14 12:21:03 [31946] PASS 10.249.10.41 http://yahoo.com
logstash/日志转发器处理此日志时,我想跳过第二行,是否可以指示它跳过任何包含关键字" domainlist "的日志消息?还是只允许使用关键字"通过"的日志消息?
I had like to skip the second line when logstash/log forwarder process this log, is it possible to instruct it to skip any log message with the keyword 'domainlist'? Or allow only log messages with the keyword 'PASS'?
推荐答案
Yes, you can achieve that by using the drop filter.
根据事件的处理方式以及拥有的字段名称,如果事件符合某些条件,则可以决定删除事件.例如,下面您可以在grok过滤器之后看到一个条件,该过滤器检查myfield是否包含与值PASS不同的内容,在这种情况下它将删除事件.
Depending on how you grok your log line and which field names you have, you can decide to drop an event if it matches some criteria. For instance, below you can see a conditional after the grok filter, which checks whether myfield contains something different than the value PASS in which case it will drop the event.
filter {
grok {
...your parsing regexp here...
}
if [myfield] != "PASS" {
drop { }
}
}
这篇关于发送到ElasticSearch之前,用logstash过滤特定的消息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
