I have LogStash filter, I'd like to know what events in my log files have been dropped since I don't see them in logstash output file. How to do that?
My filter looks like this:
filter {
grok {
patterns_dir => "C:\logstash-7.4.2\patterns"
match => { "message" => "^\[%{TIMESTAMP_ISO8601:timestamp}\]\[%{LOGLEVEL:level}\]\[%{TThread:thread}\]\[%{JAVACLASS:class}\] %{GREEDYDATA:msg}" }
}
if "_grokparsefailure" in [tags] {
drop{}
}
}
When you drop an event in your pipeline it stops existing for your pipeline, you won't see it in any output, you can't drop an event and have it in an output.
In your case you are dropping events that are not matching your grok filter, if you want to know which events are failing to be parsed, you will need to stop dropping those events and then redirect those events to another output to a better analysis, if you want you can also keep then in the same output and filter later.
You can use something like the following config.
output {
if "_grokparsefailure" in [tags] {
output to store failed events
}
if "_grokparsefailure" not in [tags] {
normal output for the other events
}
}
You can also run logstash with the log level set to debug, but it will log a lot of stuff and is not the best way to proceed in your case.