grok pattern to get lines with particular word from logfiles in Logstash

Question

I am trying to implement Logstash for logging few custom files, for which I have to get the lines containing the words : " out of swap memory". Following are the content of /etc/logstash/conf.d/10-syslog.conf file where in I have created custom_error type filter for the custom log files which I need to log to get the desired line :

 filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
  if [type] == "custom_error" {
    grok {
      match => { "message" => "Exception java.lang.OutOfMemoryError: requested %{NUMBER:int} bytes for promotion. Out of swap space?" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
  date {
    match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
  }
 }
}

But still I am not getting the desired result and lot of other messages along with required line are also showing up which is making the log message far too lengthy. How shall I achieve just the required line from log files?

Answer 1

If I understand your question, you can use conditional in your logstash configuration.
It is explained here in the documentation.

So if you want to specifically filter lines containing the word out of swap memory, you can use:

if ([message] =~ / out of swap memory/) {
   ...
   only the lines containing  "out of swap memory" will go through this part.
}