Add a filter to appender in elasticsearch - logging yml syntax

Your syntax is a bit incomplete :-), please use the following and see if it works for you. Filters syntax uses an identifier, thus the 1 in my configuration below. Also, note that if you want to filter out the "marvel" ones then you need acceptOnMatch: false.

filter:  1:    type: org.apache.log4j.varia.StringMatchFilter    StringToMatch: "marvel"    AcceptOnMatch: false

I just realised that the level that you log to index_search_slow_log_file can be specific to the index.

So I don't actually need to filter out marvel logs, I can just set the default to no logging in elasticsearch.yml (i.e. don't change it), enable logging to index_search_slow_log_file and then put an index specific override via the index settings API.

elasticsearch.yml: no change

logging.yml:

additivity:  index.search.slowlog: true  ...

Index settings API:

PUT /index_name/_settings{  "index": {    "search": {      "slowlog": {        "threshold": {          "fetch": {            "trace": "0ms",            "info": "500ms",            "warn": "1s"          }        }      }    }  }}

To add to andrei-stefan's answer, you can also invert the sense of matching to AcceptOnMatch: true, but this requires adding an explicit DenyAllFilter after. The full example looks like this:

filter:  1:    type: org.apache.log4j.varia.StringMatchFilter    StringToMatch: "my-important-index"    AcceptOnMatch: true  2:    type: org.apache.log4j.varia.DenyAllFilter