Hi Rafael,
you can simply use conditionals (see
https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals)
and the drop filter (see
https://www.elastic.co/guide/en/logstash/current/plugins-filters-drop.html)
to match the messages you want to process and drop all other messages.
Without having tested it:
filter {
if [message] !~ /^.*Send-Document successful-ok$/ {
drop { }
}
}
Cheers,
Jochen
On Thursday, 18 August 2016 14:48:15 UTC+2, Rafael Pereira Silva wrote:
>
> Hello,
>
> I am creating a filter in logstash to filter log messages, my messages:
>
>
> localhost - - [14/Aug/2016:06:33:54 -0300] "POST /printers/pr-01021-s
> HTTP/1.1" 200 379 Create-Job successful-ok
> localhost - - [14/Aug/2016:06:33:54 -0300] "POST /printers/pr-01021-s
> HTTP/1.1" 200 66806 Send-Document successful-ok
> localhost - - [14/Aug/2016:06:34:11 -0300] "POST /printers/pr-01016-r
> HTTP/1.1" 200 369 Create-Job successful-ok
> localhost - - [14/Aug/2016:06:34:11 -0300] "POST /printers/pr-01016-r
> HTTP/1.1" 200 9373 Send-Document successful-ok
> localhost - - [14/Aug/2016:06:34:32 -0300] "POST /printers/pr-01036-j
> HTTP/1.1" 200 371 Create-Job successful-ok
> localhost - - [14/Aug/2016:06:34:32 -0300] "POST /printers/pr-01036-j
> HTTP/1.1" 200 41189 Send-Document successful-ok
> localhost - - [14/Aug/2016:06:34:33 -0300] "POST /printers/pr-01036-j
> HTTP/1.1" 200 379 Create-Job successful-ok
> localhost - - [14/Aug/2016:06:34:33 -0300] "POST /printers/pr-01036-j
> HTTP/1.1" 200 54611 Send-Document successful-ok
> localhost - - [14/Aug/2016:06:34:51 -0300] "POST /printers/pr-01006-8
> HTTP/1.1" 200 370 Create-Job successful-ok
> localhost - - [14/Aug/2016:06:34:51 -0300] "POST /printers/pr-01006-8
> HTTP/1.1" 200 1992 Send-Document successful-ok
>
>
> I need only lines:
> localhost - - [14/Aug/2016:06:33:54 -0300] "POST /printers/pr-01021-s
> HTTP/1.1" 200 66806 Send-Document successful-ok
> localhost - - [14/Aug/2016:06:34:11 -0300] "POST /printers/pr-01016-r
> HTTP/1.1" 200 9373 Send-Document successful-ok
> localhost - - [14/Aug/2016:06:34:32 -0300] "POST /printers/pr-01036-j
> HTTP/1.1" 200 41189 Send-Document successful-ok
> localhost - - [14/Aug/2016:06:34:33 -0300] "POST /printers/pr-01036-j
> HTTP/1.1" 200 54611 Send-Document successful-ok
> localhost - - [14/Aug/2016:06:34:51 -0300] "POST /printers/pr-01006-8
> HTTP/1.1" 200 1992 Send-Document successful-ok
>
> that is: Lines containg is string "Send-Document"
>
>
>
>
> I use logstash as collector :
>
> vim /etc/logstash/conf.d/11-cupsacess.conf
>
> # Entrada padrão dos arquivos de log.
> input {
> # Ssh
> file {
> type => "access_log_cups"
> path => "/var/log/cups/access_log"
> }
> }
>
>
> # Saída padrão para o Graylog2 no formato GELF.
> output {
> gelf {
> host => "10.122.80.203"
> }
> }
>
>
>
>
>
> can anybody help me?
>
>
> filter {
> if [type] == "access_log_cups" {
> grok {
> match => { "message" => XXXXXXxxxxxxxxx}
>
> }
> }
>
>
> Thank you so much
>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/d81eede2-4731-4908-b889-916bc37e269e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
