home docs about cookbook bugs

grep

Status: beta

Grep filter. Useful for dropping events you don't want to pass, or adding tags or fields to events that match.

Events not matched are dropped. If 'negate' is set to true (defaults false), then matching events are dropped.

Synopsis

This is what it might look like in your config file: 
filter {
  grep {
    /[A-Za-z0-9_-]+/ => ... # string (optional)
    add_field => ... # hash (optional), default: {}
    add_tag => ... # array (optional), default: []
    drop => ... # boolean (optional), default: true
    exclude_tags => ... # array (optional), default: []
    match => ... # hash (optional), default: {}
    negate => ... # boolean (optional)
    remove_tag => ... # array (optional), default: []
    tags => ... # array (optional), default: []
    type => ... # string (optional), default: ""
  }
}

Details

/[A-Za-z0-9_-]+/

  • The configuration attribute name here is anything that matches the above regular expression.
  • Value type is string
  • There is no default value for this setting.

Config for grep is: fieldname: pattern Allow arbitrary keys for this config.

add_field

  • Value type is hash
  • Default value is {}

If this filter is successful, add any arbitrary fields to this event. Example:

filter {
  myfilter {
    add_field => [ "sample", "Hello world, from %{@source}" ]
  }
}

On success, myfilter will then add field 'sample' with the value above and the %{@source} piece replaced with that value from the event.

add_tag

  • Value type is array
  • Default value is []

If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax. Example:

filter {
  myfilter {
    add_tag => [ "foo_%{somefield}" ]
  }
}

If the event has field "somefield" == "hello" this filter, on success, would add a tag "foo_hello"

drop

  • Value type is boolean
  • Default value is true

Drop events that don't match

If this is set to false, no events will be dropped at all. Rather, the requested tags and fields will be added to matching events, and non-matching events will be passed through unchanged.

exclude_tags

  • Value type is array
  • Default value is []

Only handle events without any of these tags. Note this check is additional to type and tags.

match

  • Value type is hash
  • Default value is {}

A hash of matches of field => regexp. If multiple matches are specified, all must match for the grep to be considered successful. Normal regular expressions are supported here.

negate

  • Value type is boolean
  • There is no default value for this setting.

Negate the match. Similar to 'grep -v'

If this is set to true, then any positive matches will result in the event being cancelled and dropped. Non-matching will be allowed through.

remove_tag

  • Value type is array
  • Default value is []

If this filter is successful, remove arbitrary tags from the event. Tags can be dynamic and include parts of the event using the %{field} syntax. Example:

filter {
  myfilter {
    remove_tag => [ "foo_%{somefield}" ]
  }
}

If the event has field "somefield" == "hello" this filter, on success, would remove the tag "foo_hello" if it is present

tags

  • Value type is array
  • Default value is []

Only handle events with all of these tags. Note that if you specify a type, the event must also match that type. Optional.

type

  • Value type is string
  • Default value is ""

The type to act on. If a type is given, then this filter will only act on messages with the same type. See any input plugin's "type" attribute for more. Optional.

This is documentation from lib/logstash/filters/grep.rb

Hello! I'm your friendly footer. If you're actually reading this, I'm impressed.