Class: LogStash::Filters::Prune

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/filters/prune.rb

Overview

The prune filter is for removing fields from events based on whitelists or blacklist of field names or their values (names and values can also be regular expressions).

This can e.g. be useful if you have a <<plugins-filters-json,json>> or <<plugins-filters-kv,kv>> filter that creates a number of fields with names that you don’t necessarily know the names of beforehand, and you only want to keep a subset of them.

Usage help: To specify a exact field name or value use the regular expression syntax ‘^some_name_or_value$`. Example usage: Input data `{ “msg”:“hello world”, “msg_short”:“hw” }`

source,ruby

filter {

%PLUGIN% {
  whitelist_names => [ "msg" ]
}

}

Allows both ‘“msg”` and `“msg_short”` through.

While:

source,ruby

filter {

%PLUGIN% {
  whitelist_names => ["^msg$"]
}

}

Allows only ‘“msg”` through.

Logstash stores an event’s ‘tags` as a field which is subject to pruning. Remember to `whitelist_names => [ “^tags$” ]` to maintain `tags` after pruning or use `blacklist_values => [ “^tag_name$” ]` to eliminate a specific `tag`.

NOTE: This filter currently only support operations on top-level fields, i.e. whitelisting and blacklisting of subfields based on name or value does not work.

Instance Method Summary collapse

Instance Method Details

#filter(event) ⇒ Object 



107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
 
# File 'lib/logstash/filters/prune.rb', line 107

def filter(event)


  hash = event.to_hash

  # We need to collect fields which needs to be remove ,and only in the end
  # actually remove it since then interpolation mode you can get unexpected
  # results as fields with dynamic values will not match since the fields to
  # which they refer have already been removed.
  fields_to_remove = []

  unless @whitelist_names.empty?
    @whitelist_names_regexp = Regexp.union(@whitelist_names.map {|x| Regexp.new(event.sprintf(x))}) if @interpolate
    hash.each_key do |field|
      fields_to_remove << field unless field.match(@whitelist_names_regexp)
    end
  end

  unless @blacklist_names.empty?
    @blacklist_names_regexp = Regexp.union(@blacklist_names.map {|x| Regexp.new(event.sprintf(x))}) if @interpolate
    hash.each_key do |field|
      fields_to_remove << field if field.match(@blacklist_names_regexp)
    end
  end

  @whitelist_values.each do |key, value|
    if @interpolate
      key = event.sprintf(key)
      value = Regexp.new(event.sprintf(value))
    end
    if hash[key]
      if hash[key].is_a?(Array)
        subvalues_to_remove = hash[key].find_all{|x| not x.match(value)}
        unless subvalues_to_remove.empty?
          fields_to_remove << (subvalues_to_remove.length == hash[key].length ? key : { :key => key, :values => subvalues_to_remove })
        end
      else
        fields_to_remove << key if not hash[key].match(value)
      end
    end
  end

  @blacklist_values.each do |key, value|
    if @interpolate
      key = event.sprintf(key)
      value = Regexp.new(event.sprintf(value))
    end
    if hash[key]
      if hash[key].is_a?(Array)
        subvalues_to_remove = hash[key].find_all{|x| x.match(value)}
        unless subvalues_to_remove.empty?
          fields_to_remove << (subvalues_to_remove.length == hash[key].length ? key : { :key => key, :values => subvalues_to_remove })
        end
      else
        fields_to_remove << key if hash[key].match(value)
      end
    end
  end

  fields_to_remove.each do |field|
    if field.is_a?(Hash)
      event.set(field[:key], hash[field[:key]] - field[:values])
    else
      hash.delete(field)
      event.remove(field)
    end
  end

  filter_matched(event)
end

#registerObject 



93
94
95
96
97
98
99
100
101
102
103
104
 
# File 'lib/logstash/filters/prune.rb', line 93

def register
  unless @interpolate
    @whitelist_names_regexp = Regexp.union(@whitelist_names.map {|x| Regexp.new(x)})
    @blacklist_names_regexp = Regexp.union(@blacklist_names.map {|x| Regexp.new(x)})
    @whitelist_values.each do |key, value|
      @whitelist_values[key] = Regexp.new(value)
    end
    @blacklist_values.each do |key, value|
      @blacklist_values[key] = Regexp.new(value)
    end
  end
end