Ignore telegraf logs if it contains a particular data using grok

jeevan1205 · February 8, 2022, 3:51am

Hi, I have logs like below. I need to ignore the 2nd entry as it has 10.0.0.0 IP address

2022-02-02 14:10:23 299327 10.0.0.28 TCP_TUNNEL/200 1084 CONNECT test1.com:443 - HIER_DIRECT/1.1.1.1 -
2022-02-02 14:10:38    981 10.0.0.0 TCP_TUNNEL/200 7007 CONNECT test2.com:443 - HIER_DIRECT/2.2.2.2 -

and my Grok pattern is

'''%{TIMESTAMP_ISO8601:time}%{SPACE}%{INT:elapsedTime:int} %{IP:clientIp:tag} %{DATA}/%{POSINT:statusCode:tag} %{DATA} %{DATA} %{DATA:address:tag} - %{DATA}/%{IP:ip:tag}'''.

Any suggestions please, I tried few regex

((?<TIMESTAMP_ISO8601>^(?!.*10.0.0.0).*)%{SPACE}%{INT:elapsedTime} %{IP:clientIp:tag} %{DATA}/%{POSINT:statusCode:tag} %{DATA} %{DATA} %{DATA:address:tag} - %{DATA}/%{IP:ip:tag})

and they work here but not on the server.

jpowers · February 8, 2022, 3:30pm

Rather than fight with Grok my suggestion would be to use a starlark to filter out matches:

def apply(metric):
    if metric.tags["clientIp"] == "10.0.0.0":
      return None // drop
    else:
      return metric // keep

jeevan1205 · February 8, 2022, 8:45pm

oh okay, thank you I will use starlark. But is there any way to implement it using Grok in general.

Topic		Replies	Views
Grok pattern for telegraf Telegraf telegraf , grok	4	1328	February 3, 2022
Telegraf is not reading Nginx access log file data Telegraf grok , nginx	5	2948	December 23, 2021
Telegraf grok not parsing with custom patterns which works on grok debug Telegraf telegraf , grok	0	245	September 11, 2023
Parse a custom log using telegraf logparser input Telegraf telegraf	6	13122	February 18, 2022
NGINX Access Log Parser Telegraf telegraf	0	710	March 2, 2020

Ignore telegraf logs if it contains a particular data using grok

Related Topics