事件的Logstash下降过滤器 [英] Logstash drop filter for event

问题描述

在我的日志文件中，我有如下条目:

In my log file I have entries like the following:

2014-06-25 12:36:18,176 [10] ((null)) INFO  [s=(null)] [u=(null)] Hello from Serilog, running as "David"! [Program] 
2014-06-25 12:36:18,207 [10] ((null)) WARN  [s=(null)] [u=(null)] =======MyOwnLogger====== Hello from log4net, running as David! [MyOwnLogger] 
2014-06-25 12:36:18,209 [10] ((null)) ERROR [s=(null)] [u=(null)] =======MyOwnLogger====== Hello from log4net, running as David! [MyOwnLogger] 

分别是日志级别的INFO，WARN和ERROR.

which are of loglevel INFO, WARN and ERROR respectively.

我想做的是仅将那些错误级别的条目输出到Elasticsearch.这是我的Logstash配置文件:

What I would like to do is to only output to Elasticsearch those entries which are of ERROR level. Here is my Logstash configuration file:

input {
    file {
        path => "Somepath/*.log"
    }
}

# This filter doesn't work
filter {
  if [loglevel] != "error" { 
    drop { } 
  }
}

output {
    elasticsearch { host => localhost }
    stdout {}
}

有效地，目前没有任何东西发送到Elasticsearch.我知道它与过滤器有关，因为如果不存在该过滤器，则所有条目都将发送到Elastisearch.

Effectively, currently nothing gets sent to Elasticsearch. I know it is related to the filter because if it's not there, all the entries get sent to Elastisearch.

推荐答案

尝试使用此grok过滤器.这对我有用，对您的日志

Try this grok filter. It is works at me with your logs

filter {
    grok {
            match => ["message","%{TIMESTAMP_ISO8601:logtime} \[%{NUMBER}\] \(\(%{WORD}\)\) %{WORD:loglevel} %{GREEDYDATA:other}"]
    }

    if [loglevel]!= "ERROR" {
            drop {}
    }
}

首先，您需要查看日志级别，然后可以使用该字段执行其他条件并决定是否丢弃.

First, you need to grok the loglevel, then just you can use the field to do if else condition and decide drop or not.

这篇关于事件的Logstash下降过滤器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！