Filter plugins

A filter plugin performs intermediary processing on an event. Filters are often applied conditionally depending on the characteristics of the event.

The following filter plugins are available:

Elastic supported plugins

These plugins are maintained and supported by Elastic.

Plugin

Description

Github repository

aggregate

Aggregates information from several events originating with a single task

logstash-filter-aggregate

anonymize

Replaces field values with a consistent hash

logstash-filter-anonymize

csv

Parses comma-separated value data into individual fields

logstash-filter-csv

date

Parses dates from fields to use as the Logstash timestamp for an event

logstash-filter-date

de_dot

Computationally expensive filter that removes dots from a field name

logstash-filter-de_dot

dissect

Extracts unstructured event data into fields using delimiters

logstash-filter-dissect

dns

Performs a standard or reverse DNS lookup

logstash-filter-dns

drop

Drops all events

logstash-filter-drop

fingerprint

Fingerprints fields by replacing values with a consistent hash

logstash-filter-fingerprint

geoip

Adds geographical information about an IP address

logstash-filter-geoip

grok

Parses unstructured event data into fields

logstash-filter-grok

json

Parses JSON events

logstash-filter-json

kv

Parses key-value pairs

logstash-filter-kv

mutate

Performs mutations on fields

logstash-filter-mutate

ruby

Executes arbitrary Ruby code

logstash-filter-ruby

sleep

Sleeps for a specified time span

logstash-filter-sleep

split

Splits multi-line messages into distinct events

logstash-filter-split

syslog_pri

Parses the PRI (priority) field of a syslog message

logstash-filter-syslog_pri

throttle

Throttles the number of events

logstash-filter-throttle

translate

Replaces field contents based on a hash or YAML file

logstash-filter-translate

urldecode

Decodes URL-encoded fields

logstash-filter-urldecode

useragent

Parses user agent strings into fields

logstash-filter-useragent

uuid

Adds a UUID to events

logstash-filter-uuid

xml

Parses XML into fields

logstash-filter-xml

Community supported plugins

These plugins are maintained and supported by the community. These plugins have met the Logstash development & testing criteria for integration. Contributors include Community Maintainers, the Logstash core team at Elastic, and the broader community.

Plugin

Description

Github repository

alter

Performs general alterations to fields that the mutate filter does not handle

logstash-filter-alter

cidr

Checks IP addresses against a list of network blocks

logstash-filter-cidr

cipher

Applies or removes a cipher to an event

logstash-filter-cipher

clone

Duplicates events

logstash-filter-clone

collate

Collates events by time or count

logstash-filter-collate

elapsed

Calculates the elapsed time between a pair of events

logstash-filter-elapsed

elasticsearch

Copies fields from previous log events in Elasticsearch to current events

logstash-filter-elasticsearch

environment

Stores environment variables as metadata sub-fields

logstash-filter-environment

extractnumbers

Extracts numbers from a string

logstash-filter-extractnumbers

i18n

Removes special characters from a field

logstash-filter-i18n

json_encode

Serializes a field to JSON

logstash-filter-json_encode

metaevent

Adds arbitrary fields to an event

logstash-filter-metaevent

metricize

Takes complex events containing a number of metrics and splits these up into multiple events, each holding a single metric

logstash-filter-metricize

metrics

Aggregates metrics

logstash-filter-metrics

oui

Parse OUI data from MAC addresses

logstash-filter-oui

prune

Prunes event data based on a list of fields to blacklist or whitelist

logstash-filter-prune

punct

Strips all non-punctuation content from a field

logstash-filter-punct

range

Checks that specified fields stay within given size or length limits

logstash-filter-range

tld

Replaces the contents of the default message field with whatever you specify in the configuration

logstash-filter-tld

yaml

Takes an existing field that contains YAML and expands it into an actual data structure within the Logstash event

logstash-filter-yaml

zeromq

Sends an event to ZeroMQ

logstash-filter-zeromq