2

Saw a similar post regarding filtering Filebeat output, but my case is complicated by the existence of a double quote and slashes and backslashes within the message string.

Here is the message field in Filebeat:

"message":"162.246.216.28 - msca.operations [03/May/2017:17:21:21 +0000] \"GET /api/console/proxy?uri=aliases\u0026=1493758138223 HTTP/1.1\" 200 60 \"http

As seen above, to remove all successful HTTP requests, I need to capture both the "HTTP" and the returned status "200" and dump them.

I tried this line, and a few variations without success:

- drop_event:
when:
    regexp:
       message: "*HTTP?1.1?? 200*"
Stiv Ostenberg
  • 607
  • 5
  • 9
  • What did you get? and what is the exact output you are expecting? – degant May 03 '17 at 22:21
  • Find `HTTP[^"]*\"\s*\d+\s*` replace with nothing. Stringed regex = `"HTTP[^\"]*\\\"\\s*\\d+\\s*"` But remember, this removes the `\"` which might unbalance it somewhere down the line. –  May 03 '17 at 23:05
  • Try: `*HTTP.1\.1"\s*200*` – TheChetan May 04 '17 at 05:03
  • Filebeat uses regex in this instance to determine which lines to include/exclude. Using TheChetan's example (which seemed the simplest) caused an error with unknown escape sequence. sln's solution seems to have worked, but not sure what might be unbalanced... :) – Stiv Ostenberg May 04 '17 at 16:27
  • Hmm. sln seems to remove all http, not just the 200's. Sigh. – Stiv Ostenberg May 04 '17 at 16:35

0 Answers0