- Logstash Reference: other versions:
- Logstash Reference
- Logstash Introduction
- Getting Started with Logstash
- Package Repositories
- Breaking changes
- Upgrading Logstash
- Configuring Logstash
- Working with plugins
- Contributing to Logstash
- Logstash Plugins Community Maintainer Guide
- Input plugins
- beats
- couchdb_changes
- drupal_dblog
- elasticsearch
- exec
- eventlog
- file
- ganglia
- gelf
- generator
- graphite
- github
- heartbeat
- heroku
- http
- http_poller
- irc
- imap
- jdbc
- jmx
- kafka
- log4j
- lumberjack
- meetup
- pipe
- puppet_facter
- relp
- rss
- rackspace
- rabbitmq
- redis
- salesforce
- snmptrap
- stdin
- sqlite
- s3
- sqs
- stomp
- syslog
- tcp
- unix
- udp
- varnishlog
- wmi
- websocket
- xmpp
- zenoss
- zeromq
- Output plugins
- boundary
- circonus
- csv
- cloudwatch
- datadog
- datadog_metrics
- elasticsearch
- elasticsearch_java
- exec
- file
- google_bigquery
- google_cloud_storage
- ganglia
- gelf
- graphtastic
- graphite
- hipchat
- http
- irc
- influxdb
- juggernaut
- jira
- kafka
- lumberjack
- librato
- loggly
- mongodb
- metriccatcher
- nagios
- null
- nagios_nsca
- opentsdb
- pagerduty
- pipe
- riemann
- redmine
- rackspace
- rabbitmq
- redis
- riak
- s3
- sqs
- stomp
- statsd
- solr_http
- sns
- syslog
- stdout
- tcp
- udp
- webhdfs
- websocket
- xmpp
- zabbix
- zeromq
- Filter plugins
- aggregate
- alter
- anonymize
- collate
- csv
- cidr
- clone
- cipher
- checksum
- date
- de_dot
- dns
- drop
- elasticsearch
- extractnumbers
- environment
- elapsed
- fingerprint
- geoip
- grok
- i18n
- json
- json_encode
- kv
- mutate
- metrics
- multiline
- metaevent
- prune
- punct
- ruby
- range
- syslog_pri
- sleep
- split
- throttle
- translate
- uuid
- urldecode
- useragent
- xml
- zeromq
- Codec plugins
- Logstash 2.2 Release Notes
A filter plugin performs intermediary processing on an event. Filters are often applied conditionally depending on the characteristics of the event.
The following filter plugins are available:
Plugin |
Description |
Github repository |
Aggregates information from several events originating with a single task |
||
Performs general alterations to fields that the |
||
Replaces field values with a consistent hash |
||
Collates events by time or count |
||
Parses comma-separated value data into individual fields |
||
Checks IP addresses against a list of network blocks |
||
Duplicates events |
||
Applies or removes a cipher to an event |
||
Creates a checksum based on fields in an event |
||
Parses dates from fields to use as the Logstash timestamp for an event |
||
Computationally expensive filter that removes dots from a field name |
||
Performs a standard or reverse DNS lookup |
||
Drops all events |
||
Copies fields from previous log events in Elasticsearch to current events |
||
Extracts numbers from a string |
||
Stores environment variables as metadata sub-fields |
||
Calculates the elapsed time between a pair of events |
||
Fingerprints fields by replacing values with a consistent hash |
||
Adds geographical information about an IP address |
||
Parses unstructured event data into fields |
||
Removes special characters from a field |
||
Parses JSON events |
||
Serializes a field to JSON |
||
Parses key-value pairs |
||
Performs mutations on fields |
||
Aggregates metrics |
||
Merges multiple lines into a single event |
||
Adds arbitrary fields to an event |
||
Prunes event data based on a list of fields to blacklist or whitelist |
||
Strips all non-punctuation content from a field |
||
Executes arbitrary Ruby code |
||
Checks that specified fields stay within given size or length limits |
||
Parses the |
||
Sleeps for a specified time span |
||
Splits multi-line messages into distinct events |
||
Throttles the number of events |
||
Replaces field contents based on a hash or YAML file |
||
Adds a UUID to events |
||
Decodes URL-encoded fields |
||
Parses user agent strings into fields |
||
Parses XML into fields |
||
Sends an event to ZeroMQ |