grep
The filter_grep
filter plugin "greps" events by the values of specified fields.
It is included in the Fluentd's core.
Example Configurations
The above example matches any event that satisfies the following conditions:
The value of the
message
field containscool
.The value of the
hostname
field matchesweb<INTEGER>.example.com
.The value of the
message
field does NOT containuncool
.
Hence, the following events are kept:
whereas the following examples are filtered out:
Plugin Helpers
Parameters
<and>
Directive
<and>
DirectiveSpecifies the filtering rule. This directive contains either <regexp>
or <exclude>
directive. This directive has been added since 1.2.0.
This is same as below:
We can also use <and>
directive with <exclude>
directive:
<or>
Directive
<or>
DirectiveSpecifies the filtering rule. This directive contains either <regexp>
or <exclude>
directive. This directive has been added since 1.2.0.
This is same as below:
We can also use <or>
directive with <regexp>
directive:
<regexp>
Directive
<regexp>
DirectiveSpecifies the filtering rule. This directive contains two parameters:
key
pattern
key
key
type
default
version
string
required parameter
1.0.0
The field name to which the regular expression is applied.
This parameter supports nested field access via record_accessor
syntax.
pattern
pattern
type
default
version
regexp
required parameter
1.2.0
The regular expression.
The pattern parameter is string type before 1.2.0.
For example, the following filters out events unless the field price
is a positive integer.
The grep
filter filters out UNLESS all <regexp>
s are matched. Hence, if you have:
unless the event's item_name
field starts with book_
and the price
field is an integer, it is filtered out.
For OR condition, you can use |
operator of regular expressions. For example, if you have:
unless the event's item_name
field starts with book*
or article*
, it is filtered out.
Note that if you want to use a match pattern with a leading slash (a typical case is a file path), you need to escape the leading slash. Otherwise, the pattern will not be recognized as expected.
Here is a simple example:
You can also write the pattern like this:
Learn regular expressions for more patterns.
regexpN
regexpN
type
version
string
1.0.0
This is a deprecated parameter. Use <regexp>
instead.
The N
at the end should be replaced with an integer between 1 and 20 (e.g. regexp1
). regexpN
takes two whitespace-delimited arguments.
Here is regexpN
version of <regexp>
example:
<exclude>
Directive
<exclude>
DirectiveSpecifies the filtering rule to reject events. This directive contains two parameters:
key
pattern
key
key
type
default
version
string
required parameter
1.0.0
The field name to which the regular expression is applied.
This parameter supports nested field access via record_accessor
syntax.
pattern
pattern
type
default
version
regexp
required parameter
1.2.0
The regular expression.
The pattern parameter is string type before 1.2.0.
For example, the following filters out events whose status_code
field is 5xx:
The grep
filter filters out if any <exclude>
is matched. Hence, if you have:
Then, any event with status_code
of 5xx
OR url
ending with .css
is filtered out.
excludeN
excludeN
type
version
string
1.0.0
This is a deprecated parameter. Use <exclude>
instead.
The N
at the end should be replaced with an integer between 1 and 20 (e.g. exclude1
). excludeN
takes two whitespace-delimited arguments.
Here is excludeN
version of <exclude>
example:
If <regexp>
and <exclude>
are used together, both are applied.
Learn More
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Last updated