Class: LogStash::Filters::Prune
- Inherits:
-
Base
- Object
- Base
- LogStash::Filters::Prune
- Defined in:
- lib/logstash/filters/prune.rb
Overview
The prune filter is for removing fields from events based on whitelists or blacklist of field names or their values (names and values can also be regular expressions).
This can e.g. be useful if you have a <<plugins-filters-json,json>> or <<plugins-filters-kv,kv>> filter that creates a number of fields with names that you don’t necessarily know the names of beforehand, and you only want to keep a subset of them.
Usage help: To specify a exact field name or value use the regular expression syntax ‘^some_name_or_value$`. Example usage: Input data `{ “msg”:“hello world”, “msg_short”:“hw” }`
- source,ruby
-
filter {
%PLUGIN% { whitelist_names => [ "msg" ] }
}
Allows both ‘“msg”` and `“msg_short”` through.
While:
- source,ruby
-
filter {
%PLUGIN% { whitelist_names => ["^msg$"] }
}
Allows only ‘“msg”` through.
Logstash stores an event’s ‘tags` as a field which is subject to pruning. Remember to `whitelist_names => [ “^tags$” ]` to maintain `tags` after pruning or use `blacklist_values => [ “^tag_name$” ]` to eliminate a specific `tag`.
NOTE: This filter currently only support operations on top-level fields, i.e. whitelisting and blacklisting of subfields based on name or value does not work.
Instance Method Summary collapse
Instance Method Details
#filter(event) ⇒ Object
107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 |
# File 'lib/logstash/filters/prune.rb', line 107 def filter(event) hash = event.to_hash # We need to collect fields which needs to be remove ,and only in the end # actually remove it since then interpolation mode you can get unexpected # results as fields with dynamic values will not match since the fields to # which they refer have already been removed. fields_to_remove = [] unless @whitelist_names.empty? @whitelist_names_regexp = Regexp.union(@whitelist_names.map {|x| Regexp.new(event.sprintf(x))}) if @interpolate hash.each_key do |field| fields_to_remove << field unless field.match(@whitelist_names_regexp) end end unless @blacklist_names.empty? @blacklist_names_regexp = Regexp.union(@blacklist_names.map {|x| Regexp.new(event.sprintf(x))}) if @interpolate hash.each_key do |field| fields_to_remove << field if field.match(@blacklist_names_regexp) end end @whitelist_values.each do |key, value| if @interpolate key = event.sprintf(key) value = Regexp.new(event.sprintf(value)) end if hash[key] if hash[key].is_a?(Array) subvalues_to_remove = hash[key].find_all{|x| not x.match(value)} unless subvalues_to_remove.empty? fields_to_remove << (subvalues_to_remove.length == hash[key].length ? key : { :key => key, :values => subvalues_to_remove }) end else fields_to_remove << key if not hash[key].match(value) end end end @blacklist_values.each do |key, value| if @interpolate key = event.sprintf(key) value = Regexp.new(event.sprintf(value)) end if hash[key] if hash[key].is_a?(Array) subvalues_to_remove = hash[key].find_all{|x| x.match(value)} unless subvalues_to_remove.empty? fields_to_remove << (subvalues_to_remove.length == hash[key].length ? key : { :key => key, :values => subvalues_to_remove }) end else fields_to_remove << key if hash[key].match(value) end end end fields_to_remove.each do |field| if field.is_a?(Hash) event.set(field[:key], hash[field[:key]] - field[:values]) else hash.delete(field) event.remove(field) end end filter_matched(event) end |
#register ⇒ Object
93 94 95 96 97 98 99 100 101 102 103 104 |
# File 'lib/logstash/filters/prune.rb', line 93 def register unless @interpolate @whitelist_names_regexp = Regexp.union(@whitelist_names.map {|x| Regexp.new(x)}) @blacklist_names_regexp = Regexp.union(@blacklist_names.map {|x| Regexp.new(x)}) @whitelist_values.each do |key, value| @whitelist_values[key] = Regexp.new(value) end @blacklist_values.each do |key, value| @blacklist_values[key] = Regexp.new(value) end end end |