I'm getting different different information in the tomcat logs. I want only the line with the message "Server startup in" . Im using the grok filter in the logstash,but im unable to get the only one filtered message with that message. I'm getting all the messages in the logs of tomcat. the conf file in logstash is...
input {
stdin { }
file {
type => "tomcat-access"
path => ["D:/apache-tomcat-7/logs/catalina.2015-05-19.log"]
}
}
filter {
grok {
match => [ "message:Server startup in", "%{SYSLOGBASE} %{DATA:message}"]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
index => "tomcat"
cluster => "cloud-es"
}
}
The grok filter is used to extract fields from messages. It doesn't do any filtering. You should use a conditional and the drop filter:
filter {
if [message] !~ /Server start up in/ {
drop { }
}
}
Or:
filter {
if "Server start up in" not in [message] {
drop { }
}
}