pruneedit

This is a community-maintained plugin! It does not ship with Logstash by default, but it is easy to install by running bin/plugin install logstash-filter-prune.

The prune filter is for pruning event data from @fields based on whitelist/blacklist of field names or their values (names and values can also be regular expressions).

 

Synopsisedit

This plugin supports the following configuration options:

Required configuration options:

prune {
}

Available configuration options:

Setting Input type Required Default value

add_field

hash

No

{}

add_tag

array

No

[]

blacklist_names

array

No

["%{[^}]+}"]

blacklist_values

hash

No

{}

interpolate

boolean

No

false

periodic_flush

boolean

No

false

remove_field

array

No

[]

remove_tag

array

No

[]

whitelist_names

array

No

[]

whitelist_values

hash

No

{}

Detailsedit

 

add_fieldedit

  • Value type is hash
  • Default value is {}

If this filter is successful, add any arbitrary fields to this event. Field names can be dynamic and include parts of the event using the %{field}.

Example:

    filter {
      prune {
        add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
      }
    }
[source,ruby]
    # You can also add multiple fields at once:
    filter {
      prune {
        add_field => {
          "foo_%{somefield}" => "Hello world, from %{host}"
          "new_field" => "new_static_value"
        }
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would add field foo_hello if it is present, with the value above and the %{host} piece replaced with that value from the event. The second example would also add a hardcoded field.

add_tagedit

  • Value type is array
  • Default value is []

If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

Example:

    filter {
      prune {
        add_tag => [ "foo_%{somefield}" ]
      }
    }
[source,ruby]
    # You can also add multiple tags at once:
    filter {
      prune {
        add_tag => [ "foo_%{somefield}", "taggedy_tag"]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would add a tag foo_hello (and the second example would of course add a taggedy_tag tag).

blacklist_namesedit

  • Value type is array
  • Default value is ["%{[^}]+}"]

Exclude fields which names match specified regexps, by default exclude unresolved %{field} strings.

    filter {
      prune {
        tags            => [ "apache-accesslog" ]
        blacklist_names => [ "method", "(referrer|status)", "${some}_field" ]
      }
    }

blacklist_valuesedit

  • Value type is hash
  • Default value is {}

Exclude specified fields if their values match regexps. In case field values are arrays, the fields are pruned on per array item in case all array items are matched whole field will be deleted.

    filter {
      prune {
        tags             => [ "apache-accesslog" ]
        blacklist_values => [ "uripath", "/index.php",
                              "method", "(HEAD|OPTIONS)",
                              "status", "^[^2]" ]
      }
    }

exclude_tags (DEPRECATED)edit

  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is array
  • Default value is []

Only handle events without any of these tags. Optional.

interpolateedit

  • Value type is boolean
  • Default value is false

Trigger whether configation fields and values should be interpolated for dynamic values. Probably adds some performance overhead. Defaults to false.

periodic_flushedit

  • Value type is boolean
  • Default value is false

Call the filter flush method at regular interval. Optional.

remove_fieldedit

  • Value type is array
  • Default value is []

If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field} Example:

    filter {
      prune {
        remove_field => [ "foo_%{somefield}" ]
      }
    }
[source,ruby]
    # You can also remove multiple fields at once:
    filter {
      prune {
        remove_field => [ "foo_%{somefield}", "my_extraneous_field" ]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would remove the field with name foo_hello if it is present. The second example would remove an additional, non-dynamic field.

remove_tagedit

  • Value type is array
  • Default value is []

If this filter is successful, remove arbitrary tags from the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

Example:

    filter {
      prune {
        remove_tag => [ "foo_%{somefield}" ]
      }
    }
[source,ruby]
    # You can also remove multiple tags at once:
    filter {
      prune {
        remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would remove the tag foo_hello if it is present. The second example would remove a sad, unwanted tag as well.

tags (DEPRECATED)edit

  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is array
  • Default value is []

Only handle events with all of these tags. Optional.

type (DEPRECATED)edit

  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is string
  • Default value is ""

Note that all of the specified routing options (type,tags,exclude_tags,include_fields, exclude_fields) must be met in order for the event to be handled by the filter. The type to act on. If a type is given, then this filter will only act on messages with the same type. See any input plugin’s type attribute for more. Optional.

whitelist_namesedit

  • Value type is array
  • Default value is []

Include only fields only if their names match specified regexps, default to empty list which means include everything.

    filter {
      prune {
        tags            => [ "apache-accesslog" ]
        whitelist_names => [ "method", "(referrer|status)", "${some}_field" ]
      }
    }

whitelist_valuesedit

  • Value type is hash
  • Default value is {}

Include specified fields only if their values match regexps. In case field values are arrays, the fields are pruned on per array item thus only matching array items will be included.

    filter {
      prune {
        tags             => [ "apache-accesslog" ]
        whitelist_values => [ "uripath", "/index.php",
                              "method", "(GET|POST)",
                              "status", "^[^2]" ]
      }
    }