The filter element in the input configuration contains a list of filter descriptions, each describing one filter applied on an input.
The general elements in the json are the following:
Field | Description | Default |
---|---|---|
filter | The type of the filter, currently grok, keyvalue and json are supported | - |
conditions | The conditions of which input to filter | - |
sort_order | Describes the order in which the filters should be applied | - |
source_field | The source of the filter, must be set for keyvalue filters | log_message |
remove_source_field | Remove the source field after the filter is applied | false |
post_map_values | Mappings done after the filtering provided it's result, see post map values | - |
is_enabled | A flag to show if the filter should be used | true |
Grok filters have the following additional parameters:
Field | Description | Default |
---|---|---|
log4j_format | The log4j pattern of the log, not used, it is only there for documentation | - |
multiline_pattern | The grok pattern that shows that the line is not a log line on it's own but the part of a multi line entry | - |
message_pattern | The grok pattern to use to parse the log entry | - |
value_borders is only used if it is specified, and value_split is not.
Key-value filters have the following additional parameters:
Field | Description | Default |
---|---|---|
field_split | The string that splits the key-value pairs | “\t” |
value_split | The string that separates keys from values | “=” |
value_borders | The borders around the value, must be 2 characters long, first before it, second after it | - |