The filter element in the input configuration contains a list of filter descriptions, each describing one filter applied on an input.
The general elements in the json are the following:
| Field | Description | Default |
|---|---|---|
| filter | The type of the filter, currently grok, keyvalue and json are supported | - |
| conditions | The conditions of which input to filter | - |
| sort_order | Describes the order in which the filters should be applied | - |
| source_field | The source of the filter, must be set for keyvalue filters | log_message |
| remove_source_field | Remove the source field after the filter is applied | false |
| post_map_values | Mappings done after the filtering provided it's result, see post map values | - |
| is_enabled | A flag to show if the filter should be used | true |
Grok filters have the following additional parameters:
| Field | Description | Default |
|---|---|---|
| log4j_format | The log4j pattern of the log, not used, it is only there for documentation | - |
| multiline_pattern | The grok pattern that shows that the line is not a log line on it's own but the part of a multi line entry | - |
| message_pattern | The grok pattern to use to parse the log entry | - |
value_borders is only used if it is specified, and value_split is not.
Key-value filters have the following additional parameters:
| Field | Description | Default |
|---|---|---|
| field_split | The string that splits the key-value pairs | “\t” |
| value_split | The string that separates keys from values | “=” |
| value_borders | The borders around the value, must be 2 characters long, first before it, second after it | - |