Performing Core Operations
editPerforming Core Operations
editThe plugins described in this section are useful for core operations, such as mutating and dropping events.
- date filter
-
Parses dates from fields to use as Logstash timestamps for events.
The following config parses a field called
logdate
to set the Logstash timestamp:filter { date { match => [ "logdate", "MMM dd yyyy HH:mm:ss" ] } }
- drop filter
-
Drops events. This filter is typically used in combination with conditionals.
The following config drops
debug
level log messages:filter { if [loglevel] == "debug" { drop { } } }
- fingerprint filter
-
Fingerprints fields by applying a consistent hash.
The following config fingerprints the
IP
,@timestamp
, andmessage
fields and adds the hash to a metadata field calledgenerated_id
:filter { fingerprint { source => ["IP", "@timestamp", "message"] method => "SHA1" key => "0123" target => "[@metadata][generated_id]" } }
- mutate filter
-
Performs general mutations on fields. You can rename, remove, replace, and modify fields in your events.
The following config renames the
HOSTORIP
field toclient_ip
:filter { mutate { rename => { "HOSTORIP" => "client_ip" } } }
The following config strips leading and trailing whitespace from the specified fields:
filter { mutate { strip => ["field1", "field2"] } }
- ruby filter
-
Executes Ruby code.
The following config executes Ruby code that cancels 90% of the events:
filter { ruby { code => "event.cancel if rand <= 0.90" } }