github-mirrors/logstash
1
0
Fork 0
mirror of https://github.com/elastic/logstash.git synced 2025-04-25 07:07:54 -04:00
Code Issues Projects Releases Packages Wiki Activity
logstash/docs/reference/core-operations.md
Karen Metts 91927d7450
Doc: Migrate docs from AsciiDoc to Markdown in 9.0 branch (#17289) 
* Doc: Delete asciidoc files for 9.0 branch
* Add MD files for 9.0 branch
2025-03-10 18:02:14 -04:00

2.1 KiB
Raw Blame History

mapped_pages
https://www.elastic.co/guide/en/logstash/current/core-operations.html

Performing Core Operations [core-operations]

The plugins described in this section are useful for core operations, such as mutating and dropping events.

date filter
Parses dates from fields to use as Logstash timestamps for events.

The following config parses a field called logdate to set the Logstash timestamp:

filter {
  date {
    match => [ "logdate", "MMM dd yyyy HH:mm:ss" ]
  }
}
drop filter
Drops events. This filter is typically used in combination with conditionals.

The following config drops debug level log messages:

filter {
  if [loglevel] == "debug" {
    drop { }
  }
}
fingerprint filter
Fingerprints fields by applying a consistent hash.

The following config fingerprints the IP, @timestamp, and message fields and adds the hash to a metadata field called generated_id:

filter {
  fingerprint {
    source => ["IP", "@timestamp", "message"]
    method => "SHA1"
    key => "0123"
    target => "[@metadata][generated_id]"
  }
}
mutate filter
Performs general mutations on fields. You can rename, remove, replace, and modify fields in your events.

The following config renames the HOSTORIP field to client_ip:

filter {
  mutate {
    rename => { "HOSTORIP" => "client_ip" }
  }
}

The following config strips leading and trailing whitespace from the specified fields:

filter {
  mutate {
    strip => ["field1", "field2"]
  }
}
ruby filter
Executes Ruby code.

The following config executes Ruby code that cancels 90% of the events:

filter {
  ruby {
    code => "event.cancel if rand <= 0.90"
  }
}