Status : core feature, unit tested and maintained.
only_type
: execute the filter / output plugin only on lines with specified type. Example:only_type=nginx
only_field_exist_toto
: execute the filter / output plugin only on lines with a fieldtoto
. You can specify it multiple times, all fields have to exist.only_field_equal_toto=aaa
: execute the filter / output plugin only on lines with a fieldtoto
, with valueaaa
. You can specify it multiple times, all fields have to exist and have the specified value.only_field_match_toto=aaa$
: execute the filter / output plugin only on lines with a fieldtoto
, with value match the regular expressionaaa$
. You can specify it multiple times, all fields have to exist and match the regular expression.
As in logstash, you can have an event dependent configuration.
Example 1: use statsd output only for a given type.
output {
if [type] == nginx {
statsd {
host => localhost
port => 8125
metric_type => increment
metric_key => nginx.request
}
}
}
As in logstash, you can use complex conditions: if [loglevel] == "ERROR" and [deployment] == "production" {
You can use the following comparison operators:
- equality:
==
,!=
,<
,>
,<=
,>=
- regexp:
=~
,!~
- inclusion:
in
,not in
,miss
The supported boolean operators are: and
, or
, nand
, xor
.
The supported unary operators are: !
.
Conditions can be long and complex. You can use if
, elsif
, else
. Conditions can contain other expressions, you can negate expressions with !, and you can group them with parentheses (...).
Example 2: inject a missing header via filter.
filter {
if [type] miss "undefined" {
compute_field {
field => type
value => '#{somefield}'
}
}
}