The plugins described in this section are useful for core operations, such asmutating and dropping events.
Parses dates from fields to use as Logstash timestamps for events.
The following config parses a field called logdate
to set the Logstashtimestamp:
filter { date { match => [ "logdate", "MMM dd yyyy HH:mm:ss" ] }}
Drops events. This filter is typically used in combination with conditionals.
The following config drops debug
level log messages:
filter { if [loglevel] == "debug" { drop { } }}
Fingerprints fields by applying a consistent hash.
The following config fingerprints the IP
, @timestamp
, and message
fieldsand adds the hash to a metadata field called generated_id
:
filter { fingerprint { source => ["IP", "@timestamp", "message"] method => "SHA1" key => "0123" target => "[@metadata][generated_id]" }}
Performs general mutations on fields. You can rename, remove, replace, andmodify fields in your events.
The following config renames the HOSTORIP
field to client_ip
:
filter { mutate { rename => { "HOSTORIP" => "client_ip" } }}
The following config strips leading and trailing whitespace from the specifiedfields:
filter { mutate { strip => ["field1", "field2"] }}
Executes Ruby code.
The following config executes Ruby code that cancels 90% of the events:
filter { ruby { code => "event.cancel if rand <= 0.90" }}