This Processor has been deprecated. You should use the Filter Processor instead, which offers the ability to use multiple conditional statements for filter criteria.
The Filter by Field processor allows events to pass based on the presence of a specific key-value pair. Events that return true for the comparison operands are forwarded.
You can use this processor to drop events that may not be meaningful, or to reduce the total amount of data forwarded to a subsequent processor or destination. This can be useful, for example, for dropping events that may be DEBUG level and not needed for long term storage, or metrics that are zero and should not need to be recorded.
This processor uses a key and comparison operator to determine if a specific event should be forwarded. Comparison operations are primarily targeted at numeric values, though string comparison is supported in the equal to and not equal to operators.
There are three options to configure for this processor.
| Option | Description | Example |
|---|
| Field | The field you want to apply the filter to. | .foo |
| Operator | The type of operator to use for the filter. | greater |
| Value | The value for the operator to use. | 10 |
The filter terms you enter for Value are treated as case-insensitive by default. Click the button next to the Value field to activate case-sensitivity.
| Operator | Description | Example |
|---|
| Contains | Accepts string values. Will drop the record if it does not contain the value in the string. | bar |
| Exists | Drops the record if the field exists | |
| Not Exists | Drops the record if the field does not exist | |
| Operator | Description | Example |
|---|
| Ends With | The contents of a given field ends with. | bar |
| Starts With | The contents of a given field starts with. | foo |
| Operator | Description | Example |
|---|
| Greater | Accepts only numeric values. | 10 |
| Greater or Equal | Accepts only numeric values. | 10 |
| Less | Accepts only numeric values. | 10 |
| Less or Equal | Accepts only numeric values. | 10 |
| Equal | Accepts both numeric and string values. Does a string comparison on non string fields. | bar |
| Not Equal | Accepts both numeric and string values. Does a string comparison on non string fields. | bar |
| Operator | Description | Example |
|---|
| Is Array | Drops the record if the field is not an array. | [ "foo", "bar" ] |
| Is Boolean | Drops the record if the field is not a boolean. | true |
| Is Empty | Drops the record if the field does not contain an empty string, array or object. | "" |
| Is Null | Drops the record if the field is not null. | null |
| Is Number | Drops the record if the field is not a numeric. | 123.45 |
| Is Object | Drops the record if the field is not an object. | { "foo": "bar" } |
| Is String | Drops the record if the field is not a string. | "This is foo bar" |
Before
Filter Options
| Option | Value |
|---|
| Field | .foo |
| Operator | greater |
| Value | 10 |
After
Before
Filter Options
| Option | Value |
|---|
| Field | .foo |
| Operator | equal |
| Value | 10 |
After
Before
Filter Options
| Option | Value |
|---|
| Field | .foo |
| Operator | contains |
| Value | 10 |
| Case Sensitive | On |
After
Before
Filter Options
| Option | Value |
|---|
| Field | .foo |
| Operator | is_empty |
After
In some cases, log data streams include extraneous data such as Debug level information. These would normally not be needed in the production monitoring stream and can be discarded.
This example uses the log level field as a filtering operator to drop anything with a DEBUG value.
Before
Filter Options
| Option | Value |
|---|
| Field | .level |
| Operator | not_equal |
| Value | debug |
After
