Fluentd
Search…
grep
The filter_grep filter plugin "greps" events by the values of specified fields.
It is included in the Fluentd's core.

Example Configurations

1
<filter foo.bar>
2
@type grep
3
4
<regexp>
5
key message
6
pattern /cool/
7
</regexp>
8
9
<regexp>
10
key hostname
11
pattern /^web\d+\.example\.com$/
12
</regexp>
13
14
<exclude>
15
key message
16
pattern /uncool/
17
</exclude>
18
</filter>
Copied!
The above example matches any event that satisfies the following conditions:
    1.
    The value of the message field contains cool.
    2.
    The value of the hostname field matches web<INTEGER>.example.com.
    3.
    The value of the message field does NOT contain uncool.
Hence, the following events are kept:
1
{"message":"It's cool outside today", "hostname":"web001.example.com"}
2
{"message":"That's not cool", "hostname":"web1337.example.com"}
Copied!
whereas the following examples are filtered out:
1
{"message":"I am cool but you are uncool", "hostname":"db001.example.com"}
2
{"hostname":"web001.example.com"}
3
{"message":"It's cool outside today"}
Copied!

Plugin Helpers

Parameters

<and> Directive

Specifies the filtering rule. This directive contains either <regexp> or <exclude> directive. This directive has been added since 1.2.0.
1
<and>
2
<regexp>
3
key price
4
pattern /[1-9]\d*/
5
</regexp>
6
7
<regexp>
8
key item_name
9
pattern /^book_/
10
</regexp>
11
</and>
Copied!
This is same as below:
1
<regexp>
2
key price
3
pattern /[1-9]\d*/
4
</regexp>
5
6
<regexp>
7
key item_name
8
pattern /^book_/
9
</regexp>
Copied!
We can also use <and> directive with <exclude> directive:
1
<and>
2
<exclude>
3
key container_name
4
pattern /^app\d{2}/
5
</exclude>
6
7
<exclude>
8
key log_level
9
pattern /^(?:debug|trace)$/
10
</exclude>
11
</and>
Copied!

<or> Directive

Specifies the filtering rule. This directive contains either <regexp> or <exclude> directive. This directive has been added since 1.2.0.
1
<or>
2
<exclude>
3
key status_code
4
pattern /^5\d\d$/
5
</exclude>
6
7
<exclude>
8
key url
9
pattern /\.css$/
10
</exclude>
11
</or>
Copied!
This is same as below:
1
<exclude>
2
key status_code
3
pattern /^5\d\d$/
4
</exclude>
5
6
<exclude>
7
key url
8
pattern /\.css$/
9
</exclude>
Copied!
We can also use <or> directive with <regexp> directive:
1
<or>
2
<regexp>
3
key container_name
4
pattern /^db\d{2}/
5
</regexp>
6
7
<regexp>
8
key log_level
9
pattern /^(?:warn|error)$/
10
</regexp>
11
</or>
Copied!

<regexp> Directive

Specifies the filtering rule. This directive contains two parameters:
    key
    pattern

key

type
default
version
string
required parameter
1.0.0
The field name to which the regular expression is applied.
This parameter supports nested field access via record_accessor syntax.

pattern

type
default
version
regexp
required parameter
1.2.0
The regular expression.
The pattern parameter is string type before 1.2.0.
For example, the following filters out events unless the field price is a positive integer.
1
<regexp>
2
key price
3
pattern /[1-9]\d*/
4
</regexp>
Copied!
The grep filter filters out UNLESS all <regexp>s are matched. Hence, if you have:
1
<regexp>
2
key price
3
pattern /[1-9]\d*/
4
</regexp>
5
6
<regexp>
7
key item_name
8
pattern /^book_/
9
</regexp>
Copied!
unless the event's item_name field starts with book_ and the price field is an integer, it is filtered out.
For OR condition, you can use | operator of regular expressions. For example, if you have:
1
<regexp>
2
key item_name
3
pattern /(^book_|^article)/
4
</regexp>
Copied!
unless the event's item_name field starts with book* or article*, it is filtered out.
Note that if you want to use a match pattern with a leading slash (a typical case is a file path), you need to escape the leading slash. Otherwise, the pattern will not be recognized as expected.
Here is a simple example:
1
<regexp>
2
key filepath
3
pattern \/spool/
4
</regexp>
Copied!
You can also write the pattern like this:
1
<regexp>
2
key filepath
3
pattern /\/spool\//
4
</regexp>
Copied!
Learn regular expressions for more patterns.

regexpN

type
version
string
1.0.0
This is a deprecated parameter. Use <regexp> instead.
The N at the end should be replaced with an integer between 1 and 20 (e.g. regexp1). regexpN takes two whitespace-delimited arguments.
Here is regexpN version of <regexp> example:
1
regexp1 price [1-9]\d*
2
regexp2 item_name ^book_
Copied!

<exclude> Directive

Specifies the filtering rule to reject events. This directive contains two parameters:
    key
    pattern

key

type
default
version
string
required parameter
1.0.0
The field name to which the regular expression is applied.
This parameter supports nested field access via record_accessor syntax.

pattern

type
default
version
regexp
required parameter
1.2.0
The regular expression.
The pattern parameter is string type before 1.2.0.
For example, the following filters out events whose status_code field is 5xx:
1
<exclude>
2
key status_code
3
pattern /^5\d\d$/
4
</exclude>
Copied!
The grep filter filters out if any <exclude> is matched. Hence, if you have:
1
<exclude>
2
key status_code
3
pattern /^5\d\d$/
4
</exclude>
5
6
<exclude>
7
key url
8
pattern /\.css$/
9
</exclude>
Copied!
Then, any event with status_code of 5xx OR url ending with .css is filtered out.

excludeN

type
version
string
1.0.0
This is a deprecated parameter. Use <exclude> instead.
The N at the end should be replaced with an integer between 1 and 20 (e.g. exclude1). excludeN takes two whitespace-delimited arguments.
Here is excludeN version of <exclude> example:
1
exclude1 status_code ^5\d\d$
2
exclude2 url \.css$
Copied!
If <regexp> and <exclude> are used together, both are applied.

Learn More

If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Last modified 4mo ago