How can I get logstash to delete all events that do not match the regex group?

Question

How can I get logstash to delete all events that do not match the regex group?

I am trying to match event messages with multiple regular expressions. I was going to use the grep filter, but its deprecated, so I am trying to abandon the negation.

The functionality I'm looking for is to remove all events if the message does not match multiple regular expressions.

The filter below does not work, but it is checked separately, both expressions work fine. What am I missing?

filter { if ([message] !~ ' \[critical\]: ' or [message] !~ '\[crit\]: ') { drop { } } }

+6

logstash

Darkbluesea Dec 12 '14 at 12:09

source share

3 answers

I read a little more and continued to draw events with grok, adding a tag and discarding them at the end if the tag was not there:

 filter { grok { add_tag => [ "valid" ] match => [ "message", ".+ \[critical\]: ?(.+)", "message", ".+ \[crit\]: ?(.+) ", "message", '.+ (Deadlock found.+) ', "message", "(.+: Could not record email: .+) " ] } if "valid" not in [tags] { drop { } } mutate { remove_tag => [ "valid" ] } }

+11

Darkbluesea Dec 12 '14 at 12:30

source share

 if "_grokparsefailure" in [tags] { drop {} }

+6

Siavash safi Jan 19 '16 at 14:42

source share

Alain collins · Accepted Answer · 2014-12-14T07:25:18+0000

You are using a regular expression in your conditional expression, but you are not passing the argument in the correct format. Doc shows this:

 if [status] =~ /^5\d\d/ { nagios { ... } }

Note that the regex is not sorted and is surrounded by a slash.

How can I get logstash to delete all events that do not match the regex group?

More articles: