tag_on_failure => [] # prevent default _grokparsefailure tag on real records

[elk@zjtest7-frontend config]$ cat stdin04.conf 
input {
    stdin {
    }
}
filter {
  # drop sleep events
  grok {
    match => { "message" => "SELECT SLEEP" }
    add_tag => [ "sleep_drop" ]
#    tag_on_failure => [] # prevent default _grokparsefailure tag on real records
  }
  if "sleep_drop" in [tags] {
    drop {}
  }
}

output {
 stdout {
  codec=>rubydebug{}
   }
 }

[elk@zjtest7-frontend config]$ ../bin/logstash -f stdin04.conf 
Settings: Default pipeline workers: 1
Pipeline main started
SELECT SLEEP
SELECT SLEEP1
ddd
{
       "message" => "ddd",
      "@version" => "1",
    "@timestamp" => "2016-09-15T04:36:14.172Z",
          "host" => "0.0.0.0",
          "tags" => [
        [0] "_grokparsefailure"
    ]
}
SELECT SLEEPtetwet
ffsf
{
       "message" => "ffsf",
      "@version" => "1",
    "@timestamp" => "2016-09-15T04:36:31.788Z",
          "host" => "0.0.0.0",
          "tags" => [
        [0] "_grokparsefailure"
    ]
}

/***********************
[elk@zjtest7-frontend config]$ cat stdin04.conf 
input {
    stdin {
    }
}
filter {
  # drop sleep events
  grok {
    match => { "message" => "SELECT SLEEP" }
    add_tag => [ "sleep_drop" ]
    tag_on_failure => [] # prevent default _grokparsefailure tag on real records
  }
  if "sleep_drop" in [tags] {
    drop {}
  }
}

output {
 stdout {
  codec=>rubydebug{}
   }
 }

[elk@zjtest7-frontend config]$ ../bin/logstash -f stdin04.conf 
Settings: Default pipeline workers: 1
Pipeline main started
SELECT SLEEP
SELECT SLEEP4242
ffs
{
       "message" => "ffs",
      "@version" => "1",
    "@timestamp" => "2016-09-15T04:37:57.356Z",
          "host" => "0.0.0.0"
}

posted @ 2016-09-15 12:42 czcb 阅读(377) 评论(0) 编辑收藏举报

刷新页面返回顶部

tag_on_failure => [] # prevent default _grokparsefailure tag on real records

公告