How can i use grok filter to get the matched messages in the tomcat logs?

Question

I'm getting different different information in the tomcat logs. I want only the line with the message "Server startup in" . Im using the grok filter in the logstash,but im unable to get the only one filtered message with that message. I'm getting all the messages in the logs of tomcat. the conf file in logstash is...

input {
  stdin { }
  file {
    type => "tomcat-access"
    path => ["D:/apache-tomcat-7/logs/catalina.2015-05-19.log"]
  }
}

filter {
    grok {
match => [ "message:Server startup in", "%{SYSLOGBASE} %{DATA:message}"]
  }
}

output {
    stdout { codec => rubydebug }
  elasticsearch {
    index => "tomcat"
    cluster => "cloud-es"
  }

}

score 0 · Accepted Answer · answered May 19 '15 at 05:46

0

The grok filter is used to extract fields from messages. It doesn't do any filtering. You should use a conditional and the drop filter:

filter {
  if [message] !~ /Server start up in/ {
    drop { }
  }
}

Or:

filter {
  if "Server start up in" not in [message] {
    drop { }
  }
}

answered May 19 '15 at 05:46

Magnus Bäck

11,381
3
47
59

I want to make the kibana dashboard customized.Can i get the kibana Source code. So that i can make changes to my dashboard little more advanced and the way i want. – A.N.B Akhilesh May 20 '15 at 05:06
That's a completely different question, but yes, the Kibana source code is available on GitHub. – Magnus Bäck May 20 '15 at 05:33

How can i use grok filter to get the matched messages in the tomcat logs?

1 Answers1