Fluentd
1.0
1.0
  • Introduction
  • Overview
    • Life of a Fluentd event
    • Support
    • FAQ
    • Logo
    • fluent-package v5 vs td-agent v4
  • Installation
    • Before Installation
    • Install fluent-package
      • RPM Package (Red Hat Linux)
      • DEB Package (Debian/Ubuntu)
      • .dmg Package (macOS)
      • .msi Installer (Windows)
    • Install calyptia-fluentd
      • RPM Package (Red Hat Linux)
      • DEB Package (Debian/Ubuntu)
      • .dmg Package (macOS)
      • .msi Installer (Windows)
    • Install by Ruby Gem
    • Install from Source
    • Post Installation Guide
    • Obsolete Installation
      • Treasure Agent v4 (EOL) Installation
        • Install by RPM Package v4 (Red Hat Linux)
        • Install by DEB Package v4 (Debian/Ubuntu)
        • Install by .dmg Package v4 (macOS)
        • Install by .msi Installer v4 (Windows)
      • Treasure Agent v3 (EOL) Installation
        • Install by RPM Package v3 (Red Hat Linux)
        • Install by DEB Package v3 (Debian/Ubuntu)
        • Install by .dmg Package v3 (macOS)
        • Install by .msi Installer v3 (Windows)
  • Configuration
    • Config File Syntax
    • Config File Syntax (YAML)
    • Routing Examples
    • Config: Common Parameters
    • Config: Parse Section
    • Config: Buffer Section
    • Config: Format Section
    • Config: Extract Section
    • Config: Inject Section
    • Config: Transport Section
    • Config: Storage Section
    • Config: Service Discovery Section
  • Deployment
    • System Configuration
    • Logging
    • Signals
    • RPC
    • High Availability Config
    • Performance Tuning
    • Multi Process Workers
    • Failure Scenarios
    • Plugin Management
    • Trouble Shooting
    • Fluentd UI
    • Linux Capability
    • Command Line Option
    • Source Only Mode
    • Zero-downtime restart
  • Container Deployment
    • Docker Image
    • Docker Logging Driver
    • Docker Compose
    • Kubernetes
  • Monitoring Fluentd
    • Overview
    • Monitoring by Prometheus
    • Monitoring by REST API
  • Input Plugins
    • tail
    • forward
    • udp
    • tcp
    • unix
    • http
    • syslog
    • exec
    • sample
    • monitor_agent
    • windows_eventlog
  • Output Plugins
    • file
    • forward
    • http
    • exec
    • exec_filter
    • secondary_file
    • copy
    • relabel
    • roundrobin
    • stdout
    • null
    • s3
    • kafka
    • elasticsearch
    • opensearch
    • mongo
    • mongo_replset
    • rewrite_tag_filter
    • webhdfs
    • buffer
  • Filter Plugins
    • record_transformer
    • grep
    • parser
    • geoip
    • stdout
  • Parser Plugins
    • regexp
    • apache2
    • apache_error
    • nginx
    • syslog
    • ltsv
    • csv
    • tsv
    • json
    • msgpack
    • multiline
    • none
  • Formatter Plugins
    • out_file
    • json
    • ltsv
    • csv
    • msgpack
    • hash
    • single_value
    • stdout
    • tsv
  • Buffer Plugins
    • memory
    • file
    • file_single
  • Storage Plugins
    • local
  • Service Discovery Plugins
    • static
    • file
    • srv
  • Metrics Plugins
    • local
  • How-to Guides
    • Stream Analytics with Materialize
    • Send Apache Logs to S3
    • Send Apache Logs to Minio
    • Send Apache Logs to Mongodb
    • Send Syslog Data to Graylog
    • Send Syslog Data to InfluxDB
    • Send Syslog Data to Sematext
    • Data Analytics with Treasure Data
    • Data Collection with Hadoop (HDFS)
    • Simple Stream Processing with Fluentd
    • Stream Processing with Norikra
    • Stream Processing with Kinesis
    • Free Alternative To Splunk
    • Email Alerting like Splunk
    • How to Parse Syslog Messages
    • Cloud Data Logging with Raspberry Pi
  • Language Bindings
    • Java
    • Ruby
    • Python
    • Perl
    • PHP
    • Nodejs
    • Scala
  • Plugin Development
    • How to Write Input Plugin
    • How to Write Base Plugin
    • How to Write Buffer Plugin
    • How to Write Filter Plugin
    • How to Write Formatter Plugin
    • How to Write Output Plugin
    • How to Write Parser Plugin
    • How to Write Storage Plugin
    • How to Write Service Discovery Plugin
    • How to Write Tests for Plugin
    • Configuration Parameter Types
    • Upgrade Plugin from v0.12
  • Plugin Helper API
    • Plugin Helper: Child Process
    • Plugin Helper: Compat Parameters
    • Plugin Helper: Event Emitter
    • Plugin Helper: Event Loop
    • Plugin Helper: Extract
    • Plugin Helper: Formatter
    • Plugin Helper: Inject
    • Plugin Helper: Parser
    • Plugin Helper: Record Accessor
    • Plugin Helper: Server
    • Plugin Helper: Socket
    • Plugin Helper: Storage
    • Plugin Helper: Thread
    • Plugin Helper: Timer
    • Plugin Helper: Http Server
    • Plugin Helper: Service Discovery
  • Troubleshooting Guide
  • Appendix
    • Update from v0.12 to v1
    • td-agent v2 vs v3 vs v4
Powered by GitBook
On this page
  • Example Configurations
  • Plugin Helpers
  • Parameters
  • <and> Directive
  • <or> Directive
  • <regexp> Directive
  • regexpN
  • <exclude> Directive
  • excludeN
  • Learn More

Was this helpful?

  1. Filter Plugins

grep

The filter_grep filter plugin "greps" events by the values of specified fields.

It is included in the Fluentd's core.

Example Configurations

<filter foo.bar>
  @type grep

  <regexp>
    key message
    pattern /cool/
  </regexp>

  <regexp>
    key hostname
    pattern /^web\d+\.example\.com$/
  </regexp>

  <exclude>
    key message
    pattern /uncool/
  </exclude>
</filter>

The above example matches any event that satisfies the following conditions:

  1. The value of the message field contains cool.

  2. The value of the hostname field matches web<INTEGER>.example.com.

  3. The value of the message field does NOT contain uncool.

Hence, the following events are kept:

{"message":"It's cool outside today", "hostname":"web001.example.com"}
{"message":"That's not cool", "hostname":"web1337.example.com"}

whereas the following examples are filtered out:

{"message":"I am cool but you are uncool", "hostname":"db001.example.com"}
{"hostname":"web001.example.com"}
{"message":"It's cool outside today"}

Plugin Helpers

Parameters

<and> Directive

Specifies the filtering rule. This directive contains either <regexp> or <exclude> directive. This directive has been added since 1.2.0.

<and>
  <regexp>
    key price
    pattern /[1-9]\d*/
  </regexp>

  <regexp>
    key item_name
    pattern /^book_/
  </regexp>
</and>

This is same as below:

<regexp>
  key price
  pattern /[1-9]\d*/
</regexp>

<regexp>
  key item_name
  pattern /^book_/
</regexp>

We can also use <and> directive with <exclude> directive:

<and>
  <exclude>
    key container_name
    pattern /^app\d{2}/
  </exclude>

  <exclude>
    key log_level
    pattern /^(?:debug|trace)$/
  </exclude>
</and>

<or> Directive

Specifies the filtering rule. This directive contains either <regexp> or <exclude> directive. This directive has been added since 1.2.0.

<or>
  <exclude>
    key status_code
    pattern /^5\d\d$/
  </exclude>

  <exclude>
    key url
    pattern /\.css$/
  </exclude>
</or>

This is same as below:

<exclude>
  key status_code
  pattern /^5\d\d$/
</exclude>

<exclude>
  key url
  pattern /\.css$/
</exclude>

We can also use <or> directive with <regexp> directive:

<or>
  <regexp>
    key container_name
    pattern /^db\d{2}/
  </regexp>

  <regexp>
    key log_level
    pattern /^(?:warn|error)$/
  </regexp>
</or>

<regexp> Directive

Specifies the filtering rule. This directive contains two parameters:

  • key

  • pattern

key

type

default

version

string

required parameter

1.0.0

The field name to which the regular expression is applied.

pattern

type

default

version

regexp

required parameter

1.2.0

The regular expression.

The pattern parameter is string type before 1.2.0.

For example, the following filters out events unless the field price is a positive integer.

<regexp>
  key price
  pattern /[1-9]\d*/
</regexp>

The grep filter filters out UNLESS all <regexp>s are matched. Hence, if you have:

<regexp>
  key price
  pattern /[1-9]\d*/
</regexp>

<regexp>
  key item_name
  pattern /^book_/
</regexp>

unless the event's item_name field starts with book_ and the price field is an integer, it is filtered out.

For OR condition, you can use | operator of regular expressions. For example, if you have:

<regexp>
  key item_name
  pattern /(^book_|^article)/
</regexp>

unless the event's item_name field starts with book* or article*, it is filtered out.

Note that if you want to use a match pattern with a leading slash (a typical case is a file path), you need to escape the leading slash. Otherwise, the pattern will not be recognized as expected.

Here is a simple example:

<regexp>
  key filepath
  pattern \/spool/
</regexp>

You can also write the pattern like this:

<regexp>
  key filepath
  pattern /\/spool\//
</regexp>

Learn regular expressions for more patterns.

regexpN

type

version

string

1.0.0

This is a deprecated parameter. Use <regexp> instead.

The N at the end should be replaced with an integer between 1 and 20 (e.g. regexp1). regexpN takes two whitespace-delimited arguments.

Here is regexpN version of <regexp> example:

regexp1 price [1-9]\d*
regexp2 item_name ^book_

<exclude> Directive

Specifies the filtering rule to reject events. This directive contains two parameters:

  • key

  • pattern

key

type

default

version

string

required parameter

1.0.0

The field name to which the regular expression is applied.

pattern

type

default

version

regexp

required parameter

1.2.0

The regular expression.

The pattern parameter is string type before 1.2.0.

For example, the following filters out events whose status_code field is 5xx:

<exclude>
  key status_code
  pattern /^5\d\d$/
</exclude>

The grep filter filters out if any <exclude> is matched. Hence, if you have:

<exclude>
  key status_code
  pattern /^5\d\d$/
</exclude>

<exclude>
  key url
  pattern /\.css$/
</exclude>

Then, any event with status_code of 5xx OR url ending with .css is filtered out.

excludeN

type

version

string

1.0.0

This is a deprecated parameter. Use <exclude> instead.

The N at the end should be replaced with an integer between 1 and 20 (e.g. exclude1). excludeN takes two whitespace-delimited arguments.

Here is excludeN version of <exclude> example:

exclude1 status_code ^5\d\d$
exclude2 url \.css$

If <regexp> and <exclude> are used together, both are applied.

Learn More

Previousrecord_transformerNextparser

Last updated 3 years ago

Was this helpful?

This parameter supports nested field access via .

This parameter supports nested field access via .

If this article is incorrect or outdated, or omits critical information, please . is an open-source project under . All components are available under the Apache 2 License.

record_accessor
Common Parameters
Filter Plugin Overview
record_transformer Filter Plugin
let us know
Fluentd
Cloud Native Computing Foundation (CNCF)
record_accessor syntax
record_accessor syntax