How can i use grok filter to get the matched messages in the tomcat logs?

Question

I'm getting different different information in the tomcat logs. I want only the line with the message "Server startup in" . Im using the grok filter in the logstash,but im unable to get the only one filtered message with that message. I'm getting all the messages in the logs of tomcat. the conf file in logstash is...

input {
  stdin { }
  file {
    type => "tomcat-access"
    path => ["D:/apache-tomcat-7/logs/catalina.2015-05-19.log"]
  }
}

filter {
    grok {
match => [ "message:Server startup in", "%{SYSLOGBASE} %{DATA:message}"]
  }
}

output {
    stdout { codec => rubydebug }
  elasticsearch {
    index => "tomcat"
    cluster => "cloud-es"
  }

}

Magnus Bäck Magnus Bäck · Accepted Answer · 2015-05-19T05:46:51

The grok filter is used to extract fields from messages. It doesn't do any filtering. You should use a conditional and the drop filter:

filter {
  if [message] !~ /Server start up in/ {
    drop { }
  }
}

Or:

filter {
  if "Server start up in" not in [message] {
    drop { }
  }
}

How can i use grok filter to get the matched messages in the tomcat logs?

1 Answers