Fluentd
Search…
grep
The
filter_grep filter plugin "greps" events by the values of specified fields.Example Configurations
filter_grep is included in Fluentd's core. No installation required.1
<filter foo.bar>
2
@type grep
3
<regexp>
4
key message
5
pattern cool
6
</regexp>
7
<regexp>
8
key hostname
9
pattern ^web\d+\.example\.com$
10
</regexp>
11
<exclude>
12
key message
13
pattern uncool
14
</exclude>
15
</filter>
Copied!
The above example matches any event that satisfies the following conditions:
- 1.The value of the "message" field contains "cool"
- 2.The value of the "hostname" field matches
web<INTEGER>.example.com. - 3.The value of the "message" field does NOT contain "uncool".
Hence, the following events are kept:
1
{"message":"It's cool outside today", "hostname":"web001.example.com"}
2
{"message":"That's not cool", "hostname":"web1337.example.com"}
Copied!
whereas the following examples are filtered out:
1
{"message":"I am cool but you are uncool", "hostname":"db001.example.com"}
2
{"hostname":"web001.example.com"}
3
{"message":"It's cool outside today"}
Copied!
Parameters
<regexp> directive (optional)
Specify filtering rule. This directive contains two parameters. This parameter is available since v0.12.38.
- key
The field name to which the regular expression is applied.
- pattern
The regular expression.
For example, the following filters out events unless the field "price" is a positive integer.
1
<regexp>
2
key price
3
pattern [1-9]\d*
4
</regexp>
Copied!
The grep filter filters out UNLESS all
<regexp>s are matched. Hence, if you have1
<regexp>
2
key price
3
pattern [1-9]\d*
4
</regexp>
5
<regexp>
6
key item_name
7
pattern ^book_
8
</regexp>
Copied!
unless the event's "item_name" field starts with "book_" and the "price" field is an integer, it is filtered out.
For OR condition, you can use
| operator of regular expressions. For example, if you have1
<regexp>
2
key item_name
3
pattern (^book_|^article)
4
</regexp>
Copied!
unless the event's "item_name" field starts with "book" or "article", it is filtered out.
Learn regular expressions for more patterns.
regexpN (optional)
This is deprecated parameter. Use
<regexp> instead if you use v0.12.38 or later.The "N" at the end should be replaced with an integer between 1 and 20 (ex: "regexp1"). regexpN takes two whitespace-delimited arguments.
Here is
regexpN version of <regexp> example:1
regexp1 price [1-9]\d*
2
regexp2 item_name ^book_
Copied!
<exclude> directive (optional)
Specify filtering rule to reject events. This directive contains two parameters. This parameter is available since v0.12.38.
- key
The field name to which the regular expression is applied.
- pattern
The regular expression.
For example, the following filters out events whose "status_code" field is 5xx.
1
<exclude>
2
key status_code
3
pattern ^5\d\d$
4
</exclude>
Copied!
The grep filter filters out if any
<exclude> is matched. Hence, if you have1
<exclude>
2
key status_code
3
pattern ^5\d\d$
4
</exclude>
5
<exclude>
6
key url
7
pattern \.css$
8
</exclude>
Copied!
Then, any event whose "status_code" is 5xx OR "url" ends with ".css" is filtered out.
excludeN (optional)
This is deprecated parameter. Use
<exclude> instead if you use v0.12.38 or later.The "N" at the end should be replaced with an integer between 1 and 20 (ex: "exclude1"). excludeN takes two whitespace-delimited arguments.
Here is
excludeN version of <exclude> example:1
exclude1 status_code ^5\d\d$
2
exclude2 url \.css$
Copied!
If
<regexp> and <exclude> are used together, both are applied.Learn More
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is a open source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Last modified 1yr ago