Filter plugins

A filter plugin performs intermediary processing on an event. Filters are often applied conditionally depending on the characteristics of the event.

The following filter plugins are available:

Plugin

Description

Github repository

aggregate

Aggregates information from several events originating with a single task

logstash-filter-aggregate

alter

Performs general alterations to fields that the mutate filter does not handle

logstash-filter-alter

anonymize

Replaces field values with a consistent hash

logstash-filter-anonymize

collate

Collates events by time or count

logstash-filter-collate

csv

Parses comma-separated value data into individual fields

logstash-filter-csv

cidr

Checks IP addresses against a list of network blocks

logstash-filter-cidr

clone

Duplicates events

logstash-filter-clone

cipher

Applies or removes a cipher to an event

logstash-filter-cipher

checksum

Creates a checksum based on fields in an event

logstash-filter-checksum

date

Parses dates from fields to use as the Logstash timestamp for an event

logstash-filter-date

de_dot

Computationally expensive filter that removes dots from a field name

logstash-filter-de_dot

dns

Performs a standard or reverse DNS lookup

logstash-filter-dns

drop

Drops all events

logstash-filter-drop

elasticsearch

Copies fields from previous log events in Elasticsearch to current events

logstash-filter-elasticsearch

extractnumbers

Extracts numbers from a string

logstash-filter-extractnumbers

environment

Stores environment variables as metadata sub-fields

logstash-filter-environment

elapsed

Calculates the elapsed time between a pair of events

logstash-filter-elapsed

fingerprint

Fingerprints fields by replacing values with a consistent hash

logstash-filter-fingerprint

geoip

Adds geographical information about an IP address

logstash-filter-geoip

grok

Parses unstructured event data into fields

logstash-filter-grok

i18n

Removes special characters from a field

logstash-filter-i18n

json

Parses JSON events

logstash-filter-json

json_encode

Serializes a field to JSON

logstash-filter-json_encode

kv

Parses key-value pairs

logstash-filter-kv

mutate

Performs mutations on fields

logstash-filter-mutate

metrics

Aggregates metrics

logstash-filter-metrics

multiline

Merges multiple lines into a single event

logstash-filter-multiline

metaevent

Adds arbitrary fields to an event

logstash-filter-metaevent

prune

Prunes event data based on a list of fields to blacklist or whitelist

logstash-filter-prune

punct

Strips all non-punctuation content from a field

logstash-filter-punct

ruby

Executes arbitrary Ruby code

logstash-filter-ruby

range

Checks that specified fields stay within given size or length limits

logstash-filter-range

syslog_pri

Parses the PRI (priority) field of a syslog message

logstash-filter-syslog_pri

sleep

Sleeps for a specified time span

logstash-filter-sleep

split

Splits multi-line messages into distinct events

logstash-filter-split

throttle

Throttles the number of events

logstash-filter-throttle

translate

Replaces field contents based on a hash or YAML file

logstash-filter-translate

uuid

Adds a UUID to events

logstash-filter-uuid

urldecode

Decodes URL-encoded fields

logstash-filter-urldecode

useragent

Parses user agent strings into fields

logstash-filter-useragent

xml

Parses XML into fields

logstash-filter-xml

zeromq

Sends an event to ZeroMQ

logstash-filter-zeromq