Logstash

Patterns

https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns

/etc/logstash/patterns/nginx

Route events to Elasticsearch only when grok is successful:

output {
  if "_grokparsefailure" not in [tags] {
    elasticsearch { ... }
  }
}

Metrics and conditions:

if [response] =~ /^2[0-9]{2,2}$/ {
  metrics {
    meter => [ "http_2xx" ]
    add_tag => "metric"
  }
}