Fluentd
Search…
1.0
grep
The
filter_grep filter plugin "greps" events by the values of specified fields.It is included in the Fluentd's core.
Example Configurations
1
<filter foo.bar>
2
@type grep
3
​
4
<regexp>
5
key message
6
pattern /cool/
7
</regexp>
8
​
9
<regexp>
10
key hostname
11
pattern /^web\d+\.example\.com$/
12
</regexp>
13
​
14
<exclude>
15
key message
16
pattern /uncool/
17
</exclude>
18
</filter>
Copied!
The above example matches any event that satisfies the following conditions:
- 1.The value of the
messagefield containscool. - 2.The value of the
hostnamefield matchesweb<INTEGER>.example.com. - 3.The value of the
messagefield does NOT containuncool.
Hence, the following events are kept:
1
{"message":"It's cool outside today", "hostname":"web001.example.com"}
2
{"message":"That's not cool", "hostname":"web1337.example.com"}
Copied!
whereas the following examples are filtered out:
1
{"message":"I am cool but you are uncool", "hostname":"db001.example.com"}
2
{"hostname":"web001.example.com"}
3
{"message":"It's cool outside today"}
Copied!
Plugin Helpers
Parameters
<and> Directive
<and> DirectiveSpecifies the filtering rule. This directive contains either
<regexp> or <exclude> directive. This directive has been added since 1.2.0.1
<and>
2
<regexp>
3
key price
4
pattern /[1-9]\d*/
5
</regexp>
6
​
7
<regexp>
8
key item_name
9
pattern /^book_/
10
</regexp>
11
</and>
Copied!
This is same as below:
1
<regexp>
2
key price
3
pattern /[1-9]\d*/
4
</regexp>
5
​
6
<regexp>
7
key item_name
8
pattern /^book_/
9
</regexp>
Copied!
We can also use
<and> directive with <exclude> directive:1
<and>
2
<exclude>
3
key container_name
4
pattern /^app\d{2}/
5
</exclude>
6
​
7
<exclude>
8
key log_level
9
pattern /^(?:debug|trace)$/
10
</exclude>
11
</and>
Copied!
<or> Directive
<or> DirectiveSpecifies the filtering rule. This directive contains either
<regexp> or <exclude> directive. This directive has been added since 1.2.0.1
<or>
2
<exclude>
3
key status_code
4
pattern /^5\d\d$/
5
</exclude>
6
​
7
<exclude>
8
key url
9
pattern /\.css$/
10
</exclude>
11
</or>
Copied!
This is same as below:
1
<exclude>
2
key status_code
3
pattern /^5\d\d$/
4
</exclude>
5
​
6
<exclude>
7
key url
8
pattern /\.css$/
9
</exclude>
Copied!
We can also use
<or> directive with <regexp> directive:1
<or>
2
<regexp>
3
key container_name
4
pattern /^db\d{2}/
5
</regexp>
6
​
7
<regexp>
8
key log_level
9
pattern /^(?:warn|error)$/
10
</regexp>
11
</or>
Copied!
<regexp> Directive
<regexp> DirectiveSpecifies the filtering rule. This directive contains two parameters:
keypattern
key
keytype
default
version
string
required parameter
1.0.0
The field name to which the regular expression is applied.
pattern
patterntype
default
version
regexp
required parameter
1.2.0
The regular expression.
The pattern parameter is string type before 1.2.0.
For example, the following filters out events unless the field
price is a positive integer.1
<regexp>
2
key price
3
pattern /[1-9]\d*/
4
</regexp>
Copied!
The
grep filter filters out UNLESS all <regexp>s are matched. Hence, if you have:1
<regexp>
2
key price
3
pattern /[1-9]\d*/
4
</regexp>
5
​
6
<regexp>
7
key item_name
8
pattern /^book_/
9
</regexp>
Copied!
unless the event's
item_name field starts with book_ and the price field is an integer, it is filtered out.For OR condition, you can use
| operator of regular expressions. For example, if you have:1
<regexp>
2
key item_name
3
pattern /(^book_|^article)/
4
</regexp>
Copied!
unless the event's
item_name field starts with book* or article*, it is filtered out.Note that if you want to use a match pattern with a leading slash (a typical case is a file path), you need to escape the leading slash. Otherwise, the pattern will not be recognized as expected.
Here is a simple example:
1
<regexp>
2
key filepath
3
pattern \/spool/
4
</regexp>
Copied!
You can also write the pattern like this:
1
<regexp>
2
key filepath
3
pattern /\/spool\//
4
</regexp>
Copied!
Learn regular expressions for more patterns.
regexpN
regexpNtype
version
string
1.0.0
This is a deprecated parameter. Use
<regexp> instead.The
N at the end should be replaced with an integer between 1 and 20 (e.g. regexp1). regexpN takes two whitespace-delimited arguments.Here is
regexpN version of <regexp> example:1
regexp1 price [1-9]\d*
2
regexp2 item_name ^book_
Copied!
<exclude> Directive
<exclude> DirectiveSpecifies the filtering rule to reject events. This directive contains two parameters:
keypattern
key
keytype
default
version
string
required parameter
1.0.0
The field name to which the regular expression is applied.
pattern
patterntype
default
version
regexp
required parameter
1.2.0
The regular expression.
The pattern parameter is string type before 1.2.0.
For example, the following filters out events whose
status_code field is 5xx:1
<exclude>
2
key status_code
3
pattern /^5\d\d$/
4
</exclude>
Copied!
The
grep filter filters out if any <exclude> is matched. Hence, if you have:1
<exclude>
2
key status_code
3
pattern /^5\d\d$/
4
</exclude>
5
​
6
<exclude>
7
key url
8
pattern /\.css$/
9
</exclude>
Copied!
Then, any event with
status_code of 5xx OR url ending with .css is filtered out.excludeN
excludeNtype
version
string
1.0.0
This is a deprecated parameter. Use
<exclude> instead.The
N at the end should be replaced with an integer between 1 and 20 (e.g. exclude1). excludeN takes two whitespace-delimited arguments.Here is
excludeN version of <exclude> example:1
exclude1 status_code ^5\d\d$
2
exclude2 url \.css$
Copied!
If
<regexp> and <exclude> are used together, both are applied.Learn More
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Last modified 7mo ago