A filter plugin performs intermediary processing on an event. Filters are often applied conditionally depending on the characteristics of the event.
The following filter plugins are available below. For a list of Elastic supported plugins, please consult the Support Matrix.
Plugin |
Description |
Github repository |
Aggregates information from several events originating with a single task |
||
Performs general alterations to fields that the |
||
Parses string representations of computer storage sizes, such as "123 MB" or "5.6gb", into their numeric value in bytes |
||
Checks IP addresses against a list of network blocks |
||
Applies or removes a cipher to an event |
||
Duplicates events |
||
Parses comma-separated value data into individual fields |
||
Parses dates from fields to use as the Logstash timestamp for an event |
||
Computationally expensive filter that removes dots from a field name |
||
Extracts unstructured event data into fields using delimiters |
||
Performs a standard or reverse DNS lookup |
||
Drops all events |
||
Calculates the elapsed time between a pair of events |
||
Copies fields from previous log events in Elasticsearch to current events |
||
Stores environment variables as metadata sub-fields |
||
Extracts numbers from a string |
||
Fingerprints fields by replacing values with a consistent hash |
||
Adds geographical information about an IP address |
||
Parses unstructured event data into fields |
||
Provides integration with external web services/REST APIs |
||
Removes special characters from a field |
||
Enriches events with data pre-loaded from a remote database |
||
Enrich events with your database data |
||
Parses JSON events |
||
Serializes a field to JSON |
||
Parses key-value pairs |
||
Provides integration with external data in Memcached |
||
Takes complex events containing a number of metrics and splits these up into multiple events, each holding a single metric |
||
Aggregates metrics |
||
Performs mutations on fields |
||
Prunes event data based on a list of fields to blacklist or whitelist |
||
Checks that specified fields stay within given size or length limits |
||
Executes arbitrary Ruby code |
||
Sleeps for a specified time span |
||
Splits multi-line messages into distinct events |
||
Parses the |
||
Enriches security logs with information about the attacker’s intent |
||
Throttles the number of events |
||
Replaces the contents of the default message field with whatever you specify in the configuration |
||
Replaces field contents based on a hash or YAML file |
||
Truncates fields longer than a given length |
||
Decodes URL-encoded fields |
||
Parses user agent strings into fields |
||
Adds a UUID to events |
||
Parses XML into fields |