Filter
Filter events based on a set of conditions
Configuration
Example configurations
{
"transforms": {
"my_transform_id": {
"type": "filter",
"inputs": [
"my-source-or-transform-id"
]
}
}
}
[transforms.my_transform_id]
type = "filter"
inputs = [ "my-source-or-transform-id" ]
transforms:
my_transform_id:
type: filter
inputs:
- my-source-or-transform-id
{
"transforms": {
"my_transform_id": {
"type": "filter",
"inputs": [
"my-source-or-transform-id"
]
}
}
}
[transforms.my_transform_id]
type = "filter"
inputs = [ "my-source-or-transform-id" ]
transforms:
my_transform_id:
type: filter
inputs:
- my-source-or-transform-id
condition
required conditionThe condition that every input event is matched against.
If an event is matched by the condition, it is forwarded. Otherwise, the event is dropped.
type
.Available syntaxes
Syntax | Description | Example |
---|---|---|
vrl | A Vector Remap Language (VRL) Boolean expression. | .status_code != 200 && !includes(["info", "debug"], .severity) |
datadog_search | A Datadog Search query string. | *stack |
is_log | Whether the incoming event is a log. |
|
is_metric | Whether the incoming event is a metric. |
|
is_trace | Whether the incoming event is a trace. |
|
Shorthand for VRL
If you opt for the vrl
syntax for this condition, you can set the condition
as a string via the condition
parameter, without needing to specify both a source
and a type
. The
table below shows some examples:
Config format | Example |
---|---|
YAML | condition: .status == 200 |
TOML | condition = ".status == 200" |
JSON | "condition": ".status == 200" |
Condition config examples
Standard VRL
condition:
type: "vrl"
source: ".status == 500"
condition = { type = "vrl", source = ".status == 500" }
"condition": {
"type": "vrl",
"source": ".status == 500"
}
inputs
required [string]A list of upstream source or transform IDs.
Wildcards (*
) are supported.
See configuration for more info.
Outputs
<component_id>
Telemetry
Metrics
linkcomponent_discarded_events_total
counterfilter
transform, or false if due to an error.component_errors_total
countercomponent_received_event_bytes_total
countercomponent_received_events_count
histogramA histogram of the number of events passed in each internal batch in Vector’s internal topology.
Note that this is separate than sink-level batching. It is mostly useful for low level debugging performance issues in Vector due to small internal batches.
component_received_events_total
countercomponent_sent_event_bytes_total
countercomponent_sent_events_total
counterutilization
gaugeExamples
Drop debug logs
Given this event...[{"log":{"level":"debug","message":"I'm a noisy debug log"}},{"log":{"level":"info","message":"I'm a normal info log"}}]
transforms:
my_transform_id:
type: filter
inputs:
- my-source-or-transform-id
condition: .level != "debug"
[transforms.my_transform_id]
type = "filter"
inputs = [ "my-source-or-transform-id" ]
condition = '.level != "debug"'
{
"transforms": {
"my_transform_id": {
"type": "filter",
"inputs": [
"my-source-or-transform-id"
],
"condition": ".level != \"debug\""
}
}
}
[{"log":{"level":"info","message":"I'm a normal info log"}}]