search
Ctrlk

rewrite_tag_filter

The out_rewrite_tag_filter Output plugin provides a rule-based mechanism for rewriting tags.

hashtag
How It Works

The plugin is configured by defining a list of rules containing conditional statements and information on how to rewrite the matching tags.

When a message is handled by the plugin, the rules are tested one by one in order. If a matching rule is found, the message tag will be rewritten according to the definition in the rule and the message will be emitted again with the new tag.

hashtag
Example

hashtag
Basic Example

This in an example of how to use this plugin to rewrite tags. In the example, records tagged with app.component will have their tag prefixed with the value of the key message:

<match app.component>
  @type rewrite_tag_filter
  <rule>
    key message
    pattern /^\[(\w+)\]/
    tag $1.${tag}
  </rule>
</match>

Sample data:

+------------------------------------------+        +------------------------------------------------+
| original record                          |        | rewritten tag record                           |
|------------------------------------------|        |------------------------------------------------|
| app.component {"message":"[info]: ..."}  | +----> | info.app.component {"message":"[info]: ..."}   |
| app.component {"message":"[warn]: ..."}  | +----> | warn.app.component {"message":"[warn]: ..."}   |
| app.component {"message":"[crit]: ..."}  | +----> | crit.app.component {"message":"[crit]: ..."}   |
| app.component {"message":"[alert]: ..."} | +----> | alert.app.component {"message":"[alert]: ..."} |
+------------------------------------------+        +------------------------------------------------+

hashtag
Nested kubernetes namespace attributes based rules

This is an example of how to use this plugin to rewrite tags with nested attributes which are kubernetes metadata. In the example, records tagged with kubernetes.information will have their tag prefixed with the value of the nested key kubernetes.namespace_name.

Dot notation

Bracket notation

Sample data:

hashtag
Installation

out_rewrite_tag_filter is included in td-agent by default (v3.0.1 or later). Fluentd gem users will have to install the fluent-plugin-rewrite-tag-filter gem using the following command:

For more details, see Plugin Management.

hashtag
Configuration Example

By design, the configuration drops some pattern records first and then it re-emits the next matched record as the new tag name. The example configuration shown below gives an example on how the plugin can be used to define a number of rules that examine values from different keys and sets the tag depending on the regular expression configured in each rule.

The tag value is later used to decide whether the log event shall be dropped or not.

Please see fluent-plugin-rewrite-tag-filterarrow-up-right for further details.

hashtag
Parameters

hashtag
rewriteruleN

This is obsoleted since 2.0.0. Use <rule> section.

hashtag
capitalize_regex_backreference

type
default
version

bool

false

2.0.0

Capitalizes letter for every matched regex backreference. (e.g. maps -> Maps)

hashtag
hostname_command

type
default
version

string

hostname

2.0.0

Overrides hostname command for placeholder. (The default is the long hostname.)

hashtag
<rule> Section

It works in the order of appearance, regexp matching rule/pattern for the values of rule/key from each record, re-emits with rule/tag.

hashtag
key

type
default
version

string

required parameter

2.0.0

The field name to which the regular expression is applied.

hashtag
pattern

type
default
version

regexp

required parameter

2.1.0

The regular expression which is applied on the field value.

The type of pattern is string before 2.1.0.

hashtag
tag

type
default
version

string

required parameter

2.0.0

New tag.

hashtag
invert** (bool) (optional):

type
default
version

bool

false

2.0.0

If true, rewrite tag when unmatch pattern.

hashtag
Placeholders

The following variable can be used when specifying the name of the rewritten tag:

  • ${tag}

  • __TAG__

  • ${tag_parts[n]}

  • __TAG_PARTS[n]__

  • ${hostname}

  • __HOSTNAME__

See more details at tag-placeholderarrow-up-right.

hashtag
Use Cases

  • Aggregate + display 404 status pages by URL and referrer to find and

    fix dead links.

  • Send an IRC alert for 5xx status codes on exceeding thresholds.

hashtag
Aggregate + display 404 status pages by URL and referrer to find and fix dead links.

  • Collect access log from multiple application servers (config1)

  • Sum up the 404 error and output to mongoDB (config2)

IMPORTANT

The plugins are required to be installed:

  • fluent-plugin-rewrite-tag-filter

  • fluent-plugin-mongo

[Config1] Application Servers

[Config2] Monitoring Server

hashtag
Send an IRC alert for 5xx status codes on exceeding thresholds.

  • Collect access log from multiple application servers (config1)

  • Sum up the 500 error and notify IRC and logging details to mongoDB

    (config2)

IMPORTANT

The plugins are required to be installed:

  • fluent-plugin-rewrite-tag-filter

  • fluent-plugin-mongo

  • fluent-plugin-datacounter

  • fluent-plugin-notifier

  • fluent-plugin-parser

  • fluent-plugin-irc

[Config1] Application Servers

[Config2] Monitoring Server

hashtag
FAQ

hashtag
With rewrite-tag-filter, logs are not forwarded. Why?

If you have the following configuration, it doesn't work:

In this case, rewrite_tag_filter causes an infinite loop because the fluentd's routing is executed from top-to-bottom. So, you need to change the tag like this:

If this article is incorrect or outdated, or omits critical information, please let us knowarrow-up-right. Fluentdarrow-up-right is an open-source project under Cloud Native Computing Foundation (CNCF)arrow-up-right. All components are available under the Apache 2 License.

Previousmongo_replsetNextwebhdfs

Last updated

Was this helpful?