- Logstash Reference: other versions:
- Logstash Introduction
- Getting Started with Logstash
- How Logstash Works
- Setting Up and Running Logstash
- Logstash Directory Layout
- Logstash Configuration Files
- logstash.yml
- Secrets keystore for secure settings
- Running Logstash from the Command Line
- Running Logstash as a Service on Debian or RPM
- Running Logstash on Docker
- Configuring Logstash for Docker
- Running Logstash on Windows
- Logging
- Shutting Down Logstash
- Setting Up X-Pack
- Upgrading Logstash
- Configuring Logstash
- Structure of a Config File
- Accessing Event Data and Fields in the Configuration
- Using Environment Variables in the Configuration
- Logstash Configuration Examples
- Multiple Pipelines
- Pipeline-to-Pipeline Communication (Beta)
- Reloading the Config File
- Managing Multiline Events
- Glob Pattern Support
- Converting Ingest Node Pipelines
- Logstash-to-Logstash Communication
- Centralized Pipeline Management
- X-Pack monitoring
- X-Pack security
- X-Pack Settings
- Managing Logstash
- Working with Logstash Modules
- Working with Filebeat Modules
- Data Resiliency
- Transforming Data
- Deploying and Scaling Logstash
- Performance Tuning
- Monitoring Logstash
- Monitoring APIs
- Working with plugins
- Input plugins
- azure_event_hubs
- beats
- cloudwatch
- couchdb_changes
- dead_letter_queue
- elasticsearch
- exec
- file
- ganglia
- gelf
- generator
- github
- google_cloud_storage
- google_pubsub
- graphite
- heartbeat
- http
- http_poller
- imap
- irc
- java_generator
- java_stdin
- jdbc
- jms
- jmx
- kafka
- kinesis
- log4j
- lumberjack
- meetup
- pipe
- puppet_facter
- rabbitmq
- redis
- relp
- rss
- s3
- salesforce
- snmp
- snmptrap
- sqlite
- sqs
- stdin
- stomp
- syslog
- tcp
- udp
- unix
- varnishlog
- websocket
- wmi
- xmpp
- Output plugins
- boundary
- circonus
- cloudwatch
- csv
- datadog
- datadog_metrics
- elastic_app_search
- elasticsearch
- exec
- file
- ganglia
- gelf
- google_bigquery
- google_cloud_storage
- google_pubsub
- graphite
- graphtastic
- http
- influxdb
- irc
- java_sink
- java_stdout
- juggernaut
- kafka
- librato
- loggly
- lumberjack
- metriccatcher
- mongodb
- nagios
- nagios_nsca
- opentsdb
- pagerduty
- pipe
- rabbitmq
- redis
- redmine
- riak
- riemann
- s3
- sns
- solr_http
- sqs
- statsd
- stdout
- stomp
- syslog
- tcp
- timber
- udp
- webhdfs
- websocket
- xmpp
- zabbix
- Filter plugins
- aggregate
- alter
- bytes
- cidr
- cipher
- clone
- csv
- date
- de_dot
- dissect
- dns
- drop
- elapsed
- elasticsearch
- environment
- extractnumbers
- fingerprint
- geoip
- grok
- http
- i18n
- java_uuid
- jdbc_static
- jdbc_streaming
- json
- json_encode
- kv
- memcached
- metricize
- metrics
- mutate
- prune
- range
- ruby
- sleep
- split
- syslog_pri
- threats_classifier
- throttle
- tld
- translate
- truncate
- urldecode
- useragent
- uuid
- xml
- Codec plugins
- Tips and Best Practices
- Troubleshooting Common Problems
- Contributing to Logstash
- How to write a Logstash input plugin
- How to write a Logstash codec plugin
- How to write a Logstash filter plugin
- How to write a Logstash output plugin
- Documenting your plugin
- Contributing a Patch to a Logstash Plugin
- Logstash Plugins Community Maintainer Guide
- Submitting your plugin to RubyGems.org and the logstash-plugins repository
- Contributing a Java Plugin
- Glossary of Terms
- Breaking Changes
- Release Notes
- Logstash 7.2.1 Release Notes
- Logstash 7.2.0 Release Notes
- Logstash 7.1.1 Release Notes
- Logstash 7.1.0 Release Notes
- Logstash 7.0.1 Release Notes
- Logstash 7.0.0 Release Notes
- Logstash 7.0.0-rc2 Release Notes
- Logstash 7.0.0-rc1 Release Notes
- Logstash 7.0.0-beta1 Release Notes
- Logstash 7.0.0-alpha2 Release Notes
- Logstash 7.0.0-alpha1 Release Notes
Event API
editEvent API
editThis section is targeted for plugin developers and users of Logstash’s Ruby filter. Below we document recent changes (starting with version 5.0) in the way users have been accessing Logstash’s event based data in custom plugins and in the Ruby filter. Note that Accessing Event Data and Fields in the Configuration data flow in Logstash’s config files — using Field References — is not affected by this change, and will continue to use existing syntax.
Event Object
editEvent is the main object that encapsulates data flow internally in Logstash and provides an API for the plugin developers to interact with the event’s content. Typically, this API is used in plugins and in a Ruby filter to retrieve data and use it for transformations. Event object contains the original data sent to Logstash and any additional fields created during Logstash’s filter stages.
In 5.0, we’ve re-implemented the Event class and its supporting classes in pure Java. Since Event is a critical component in data processing, a rewrite in Java improves performance and provides efficient serialization when storing data on disk. For the most part, this change aims at keeping backward compatibility and is transparent to the users. To this extent we’ve updated and published most of the plugins in Logstash’s ecosystem to adhere to the new API changes. However, if you are maintaining a custom plugin, or have a Ruby filter, this change will affect you. The aim of this guide is to describe the new API and provide examples to migrate to the new changes.
Event API
editPrior to version 5.0, developers could access and manipulate event data by directly using Ruby hash syntax. For
example, event[field] = foo
. While this is powerful, our goal is to abstract the internal implementation details
and provide well-defined getter and setter APIs.
The getter is a read-only access of field-based data in an Event.
Syntax: event.get(field)
Returns: Value for this field or nil if the field does not exist. Returned values could be a string, numeric or timestamp scalar value.
is a structured field sent to Logstash or created after the transformation process. field
can also
be a nested field reference such as [field][bar]
event.get("foo" ) # => "baz" event.get("[foo]") # => "zab" event.get("[foo][bar]") # => 1 event.get("[foo][bar]") # => 1.0 event.get("[foo][bar]") # => [1, 2, 3] event.get("[foo][bar]") # => {"a" => 1, "b" => 2} event.get("[foo][bar]") # => {"a" => 1, "b" => 2, "c" => [1, 2]}
Accessing @metadata
event.get("[@metadata][foo]") # => "baz"
This API can be used to mutate data in an Event.
Syntax: event.set(field, value)
Returns: The current Event after the mutation, which can be used for chainable calls.
event.set("foo", "baz") event.set("[foo]", "zab") event.set("[foo][bar]", 1) event.set("[foo][bar]", 1.0) event.set("[foo][bar]", [1, 2, 3]) event.set("[foo][bar]", {"a" => 1, "b" => 2}) event.set("[foo][bar]", {"a" => 1, "b" => 2, "c" => [1, 2]}) event.set("[@metadata][foo]", "baz")
Mutating a collection after setting it in the Event has an undefined behaviour and is not allowed.
h = {"a" => 1, "b" => 2, "c" => [1, 2]} event.set("[foo][bar]", h) h["c"] = [3, 4] event.get("[foo][bar][c]") # => undefined Suggested way of mutating collections: h = {"a" => 1, "b" => 2, "c" => [1, 2]} event.set("[foo][bar]", h) h["c"] = [3, 4] event.set("[foo][bar]", h) # Alternatively, event.set("[foo][bar][c]", [3, 4])
Ruby Filter
editThe Ruby Filter can be used to execute any ruby code and manipulate event data using the API described above. For example, using the new API:
filter { ruby { code => 'event.set("lowercase_field", event.get("message").downcase)' } }
This filter will lowercase the message
field, and set it to a new field called lowercase_field
On this page