0

I'm using logstash-logback-encoder to send logs to Elasticsearch.

In particular, I'm using LoggingEventCompositeJsonEncoder

The log of my application is similar to the following:

07/05/18 12:35:01.325 [main] INFO  o.s.c.a.AnnotationConfigApplicationContext - Refreshing org.springframework.context.annotation.AnnotationConfigApplicationContext@49e5f737: startup date [Mon May 07 12:35:01 CEST 2018]; root of context hierarchy

 ... 

07/05/18 12:35:01.932 [main] INFO  o.s.j.e.a.AnnotationMBeanExporter - Registering beans for JMX exposure on startup
07/05/18 12:35:01.950 [main] INFO  it.test.elk.ELKTestApplication - Started ELKTestApplication in 0.956 seconds (JVM running for 1.645)
07/05/18 12:35:01.952 [Thread-6] INFO  o.s.c.a.AnnotationConfigApplicationContext - Closing org.springframework.context.annotation.AnnotationConfigApplicationContext@49e5f737: startup date [Mon May 07 12:35:01 CEST 2018]; root of context hierarchy
07/05/18 12:35:01.955 [Thread-6] INFO  o.s.j.e.a.AnnotationMBeanExporter - Unregistering JMX-exposed beans on shutdown

I would like to send only the logs related to the it.test.elk. package to elasticsearch.

Can you do it with grok? Or do I have to configure the logback.log specifically?

Alessio Frabotta
  • 117
  • 11
  • No need to use grok. Use [conditionnals](https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals) with `=~ /it.test.elk/` – baudsp May 09 '18 at 12:22
  • if [message] =~ /it.test.elk/ ? It's right ? 'message' is a standard field ? How do I know without seeing the output on Kibana? – Alessio Frabotta May 09 '18 at 12:42
  • `message` should be a standard field when using logstash-logback-encoder, so `if [message] =~ /it.test.elk/ {}` should work. Without using kibana, you can use a stdout or file logstash output to check what's happening. – baudsp May 09 '18 at 13:43

0 Answers0