Performing Core Operations

edit

The plugins described in this section are useful for core operations, such as mutating and dropping events.

date filter

Parses dates from fields to use as Logstash timestamps for events.

The following config parses a field called logdate to set the Logstash timestamp:

filter {
  date {
    match => [ "logdate", "MMM dd yyyy HH:mm:ss" ]
  }
}
drop filter

Drops events. This filter is typically used in combination with conditionals.

The following config drops debug level log messages:

filter {
  if [loglevel] == "debug" {
    drop { }
  }
}
fingerprint filter

Fingerprints fields by applying a consistent hash.

The following config fingerprints the IP, @timestamp, and message fields and adds the hash to a metadata field called generated_id:

filter {
  fingerprint {
    source => ["IP", "@timestamp", "message"]
    method => "SHA1"
    key => "0123"
    target => "[@metadata][generated_id]"
  }
}
mutate filter

Performs general mutations on fields. You can rename, remove, replace, and modify fields in your events.

The following config renames the HOSTORIP field to client_ip:

filter {
  mutate {
    rename => { "HOSTORIP" => "client_ip" }
  }
}

The following config strips leading and trailing whitespace from the specified fields:

filter {
  mutate {
    strip => ["field1", "field2"]
  }
}
ruby filter

Executes Ruby code.

The following config executes Ruby code that cancels 90% of the events:

filter {
  ruby {
    code => "event.cancel if rand <= 0.90"
  }
}