# grep
The `filter_grep` filter plugin "greps" events by the values of specified fields.
It is included in the Fluentd's core.
## Example Configurations
```
@type grep
key message
pattern /cool/
key hostname
pattern /^web\d+\.example\.com$/
key message
pattern /uncool/
```
The above example matches any event that satisfies the following conditions:
1. The value of the `message` field contains `cool`.
2. The value of the `hostname` field matches `web.example.com`.
3. The value of the `message` field does NOT contain `uncool`.
Hence, the following events are kept:
```
{"message":"It's cool outside today", "hostname":"web001.example.com"}
{"message":"That's not cool", "hostname":"web1337.example.com"}
```
whereas the following examples are filtered out:
```
{"message":"I am cool but you are uncool", "hostname":"db001.example.com"}
{"hostname":"web001.example.com"}
{"message":"It's cool outside today"}
```
## Plugin Helpers
* [`record_accessor`](https://docs.fluentd.org/plugin-helper-overview/api-plugin-helper-record_accessor)
## Parameters
[Common Parameters](https://docs.fluentd.org/configuration/plugin-common-parameters)
### `` Directive
Specifies the filtering rule. This directive contains either `` or `` directive. This directive has been added since 1.2.0.
```
key price
pattern /[1-9]\d*/
key item_name
pattern /^book_/
```
This is same as below:
```
key price
pattern /[1-9]\d*/
key item_name
pattern /^book_/
```
We can also use `` directive with `` directive:
```
key container_name
pattern /^app\d{2}/
key log_level
pattern /^(?:debug|trace)$/
```
### `` Directive
Specifies the filtering rule. This directive contains either `` or `` directive. This directive has been added since 1.2.0.
```
key status_code
pattern /^5\d\d$/
key url
pattern /\.css$/
```
This is same as below:
```
key status_code
pattern /^5\d\d$/
key url
pattern /\.css$/
```
We can also use `` directive with `` directive:
```
key container_name
pattern /^db\d{2}/
key log_level
pattern /^(?:warn|error)$/
```
### `` Directive
Specifies the filtering rule. This directive contains two parameters:
* `key`
* `pattern`
#### `key`
| type | default | version |
| ------ | ------------------ | ------- |
| string | required parameter | 1.0.0 |
The field name to which the regular expression is applied.
This parameter supports nested field access via [`record_accessor` syntax](https://docs.fluentd.org/plugin-helper-overview/api-plugin-helper-record_accessor#syntax).
#### `pattern`
| type | default | version |
| ------ | ------------------ | ------- |
| regexp | required parameter | 1.2.0 |
The regular expression.
The pattern parameter is string type before 1.2.0.
For example, the following filters out events unless the field `price` is a positive integer.
```
key price
pattern /[1-9]\d*/
```
The `grep` filter filters out UNLESS all ``s are matched. Hence, if you have:
```
key price
pattern /[1-9]\d*/
key item_name
pattern /^book_/
```
unless the event's `item_name` field starts with `book_` and the `price` field is an integer, it is filtered out.
For OR condition, you can use `|` operator of regular expressions. For example, if you have:
```
key item_name
pattern /(^book_|^article)/
```
unless the event's `item_name` field starts with `book*` or `article*`, it is filtered out.
Note that if you want to use a match pattern with a leading slash (a typical case is a file path), you need to escape the leading slash. Otherwise, the pattern will not be recognized as expected.
Here is a simple example:
```
key filepath
pattern \/spool/
```
You can also write the pattern like this:
```
key filepath
pattern /\/spool\//
```
Learn regular expressions for more patterns.
### `regexpN`
| type | version |
| ------ | ------- |
| string | 1.0.0 |
This is a deprecated parameter. Use `` instead.
The `N` at the end should be replaced with an integer between 1 and 20 (e.g. `regexp1`). `regexpN` takes two whitespace-delimited arguments.
Here is `regexpN` version of `` example:
```
regexp1 price [1-9]\d*
regexp2 item_name ^book_
```
### `` Directive
Specifies the filtering rule to reject events. This directive contains two parameters:
* `key`
* `pattern`
#### `key`
| type | default | version |
| ------ | ------------------ | ------- |
| string | required parameter | 1.0.0 |
The field name to which the regular expression is applied.
This parameter supports nested field access via [`record_accessor` syntax](https://docs.fluentd.org/plugin-helper-overview/api-plugin-helper-record_accessor#syntax).
#### `pattern`
| type | default | version |
| ------ | ------------------ | ------- |
| regexp | required parameter | 1.2.0 |
The regular expression.
The pattern parameter is string type before 1.2.0.
For example, the following filters out events whose `status_code` field is 5xx:
```
key status_code
pattern /^5\d\d$/
```
The `grep` filter filters out if any `` is matched. Hence, if you have:
```
key status_code
pattern /^5\d\d$/
key url
pattern /\.css$/
```
Then, any event with `status_code` of `5xx` OR `url` ending with `.css` is filtered out.
### `excludeN`
| type | version |
| ------ | ------- |
| string | 1.0.0 |
This is a deprecated parameter. Use `` instead.
The `N` at the end should be replaced with an integer between 1 and 20 (e.g. `exclude1`). `excludeN` takes two whitespace-delimited arguments.
Here is `excludeN` version of `` example:
```
exclude1 status_code ^5\d\d$
exclude2 url \.css$
```
If `` and `` are used together, both are applied.
## Learn More
* [Filter Plugin Overview](https://docs.fluentd.org/filter)
* [`record_transformer` Filter Plugin](https://docs.fluentd.org/filter/record_transformer)
If this article is incorrect or outdated, or omits critical information, please [let us know](https://github.com/fluent/fluentd-docs-gitbook/issues?state=open). [Fluentd](http://www.fluentd.org/) is an open-source project under [Cloud Native Computing Foundation (CNCF)](https://cncf.io/). All components are available under the Apache 2 License.