fluent/fluent-plugin-rewrite-tag-filter fluent/fluent-plugin-rewrite-tag-filter

  • Stars
    star
    168
  • Rank 217,685 (Top 5 %)
  • Language
    Ruby
  • License
    Other
  • Created almost 12 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
fluent/fluent-plugin-rewrite-tag-filter
github

fluent

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Fluentd Output filter plugin to rewrite tags that matches specified attribute.

fluent-plugin-rewrite-tag-filter Build Status

Overview

Rewrite Tag Filter for Fluentd. It is designed to rewrite tags like mod_rewrite.
Re-emit the record with rewritten tag when a value matches/unmatches with a regular expression.
Also you can change a tag from Apache log by domain, status code (ex. 500 error),
user-agent, request-uri, regex-backreference and so on with regular expression.

This is an output plugin because fluentd's filter doesn't allow tag rewrite.

Requirements

fluent-plugin-rewrite-tag-filter Fluentd Ruby
>= 2.0.0 >= v0.14.2 >= 2.1
< 2.0.0 >= v0.12.0 >= 1.9

Installation

Install with gem or td-agent-gem command as:

# for system installed fluentd
$ gem install fluent-plugin-rewrite-tag-filter

# for td-agent2 (with fluentd v0.12)
$ sudo td-agent-gem install fluent-plugin-rewrite-tag-filter -v 1.6.0

# for td-agent3 (with fluentd v0.14)
$ sudo td-agent-gem install fluent-plugin-rewrite-tag-filter

For more details, see Plugin Management

Configuration

  • rewriterule<num> (string) (optional) <attribute> <regex_pattern> <new_tag>
    • Obsoleted: Use <rule> section
  • capitalize_regex_backreference (bool) (optional): Capitalize letter for every matched regex backreference. (ex: maps -> Maps) for more details, see usage.
    • Default value: no
  • remove_tag_prefix (string) (optional): Remove tag prefix for tag placeholder. (see the section of "Tag placeholder")
  • hostname_command (string) (optional): Override hostname command for placeholder. (see the section of "Tag placeholder")
    • Default value: hostname
  • emit_mode (enum) (required): Specify emit_mode to batch or record. batch will emit events per rewritten tag, and decrease IO. record will emit events per record.
    • Default value: batch

<rule> section (optional) (multiple)

  • key (string) (required): The field name to which the regular expression is applied
  • pattern (regexp) (required): The regular expression. /regexp/ is preferred because /regexp/ style can support character classes such as /[a-z]/. The pattern without slashes will cause errors if you use patterns start with character classes.
  • tag (string) (required): New tag
  • label (string) (optional): New label. If specified, label can be changed per-rule.
  • invert (bool) (optional): If true, rewrite tag when unmatch pattern
    • Default value: false

Usage

It's a sample to exclude some static file log before split tag by domain.

<source>
  @type tail
  path /var/log/httpd/access_log
  format apache2
  time_format %d/%b/%Y:%H:%M:%S %z
  tag td.apache.access
  pos_file /var/log/td-agent/apache_access.pos
</source>

# "capitalize_regex_backreference yes" affects converting every matched first letter of backreference to upper case. ex: maps -> Maps
# At 2nd <rule>, redirect to tag named "clear" which unmatched for status code 200.
# At 3rd <rule>, redirect to tag named "clear" which is not end with ".com"
# At 6th <rule>, "site.$2$1" to be "site.ExampleMail" by capitalize_regex_backreference option.
<match td.apache.access>
  @type rewrite_tag_filter
  capitalize_regex_backreference yes
  <rule>
    key     path
    pattern /\.(gif|jpe?g|png|pdf|zip)$/
    tag clear
  </rule>
  <rule>
    key     status
    pattern /^200$/
    tag     clear
    invert  true
  </rule>
  <rule>
    key     domain
    pattern /^.+\.com$/
    tag     clear
    invert  true
  </rule>
  <rule>
    key     domain
    pattern /^maps\.example\.com$/
    tag     site.ExampleMaps
  </rule>
  <rule>
    key     domain
    pattern /^news\.example\.com$/
    tag     site.ExampleNews
  </rule>
  <rule>
    key     domain
    pattern /^(mail)\.(example)\.com$/
    tag     site.$2$1
  </rule>
  <rule>
    key     domain
    pattern /.+/
    tag     site.unmatched
  </rule>
</match>

<match site.*>
  @type mongo
  host localhost
  database apache_access
  remove_tag_prefix site
  tag_mapped
  capped
  capped_size 100m
</match>

<match clear>
  @type null
</match>

Result

$ mongo
MongoDB shell version: 2.2.0
> use apache_access
switched to db apache_access
> show collections
ExampleMaps
ExampleNews
ExampleMail
unmatched

Debug

On starting td-agent, Logging supported like below.

$ tailf /var/log/td-agent/td-agent.log
2012-09-16 18:10:51 +0900: adding match pattern="td.apache.access" type="rewrite_tag_filter"
2012-09-16 18:10:51 +0900: adding rewrite_tag_filter rule: [1, "path", /\.(gif|jpe?g|png|pdf|zip)$/, "clear"]
2012-09-16 18:10:51 +0900: adding rewrite_tag_filter rule: [2, "domain", /^maps\.example\.com$/, "site.ExampleMaps"]
2012-09-16 18:10:51 +0900: adding rewrite_tag_filter rule: [3, "domain", /^news\.example\.com$/, "site.ExampleNews"]
2012-09-16 18:10:51 +0900: adding rewrite_tag_filter rule: [4, "domain", /^(mail)\.(example)\.com$/, "site.$2$1"]
2012-09-16 18:10:51 +0900: adding rewrite_tag_filter rule: [5, "domain", /.+/, "site.unmatched"]

Nested attributes

Dot notation:

<match kubernetes.**>
  @type rewrite_tag_filter
  <rule>
    key $.kubernetes.namespace_name
    pattern ^(.+)$
    tag $1.${tag}
  </rule>
</match>

Bracket notation:

<match kubernetes.**>
  @type rewrite_tag_filter
  <rule>
    key $['kubernetes']['namespace_name']
    pattern ^(.+)$
    tag $1.${tag}
  </rule>
</match>

These example configurations can process nested attributes like following:

{
  "kubernetes": {
    "namespace_name": "default"
  }
}

When original tag is kubernetes.var.log, this will be converted to default.kubernetes.var.log.

Tag placeholder

It is supported these placeholder for new_tag (rewritten tag).

  • ${tag}
  • __TAG__
  • ${tag_parts[n]}
  • __TAG_PARTS[n]__
  • ${hostname}
  • __HOSTNAME__

The placeholder of ${tag_parts[n]} and __TAG_PARTS[n]__ acts accessing the index which split the tag with "." (dot).
For example with td.apache.access tag, it will get td by ${tag_parts[0]} and apache by ${tag_parts[1]}.

Note Currently, range expression ${tag_parts[0..2]} is not supported.

Placeholder Options

  • remove_tag_prefix

This option adds removing tag prefix for ${tag} or __TAG__ in placeholder.

  • remove_tag_regexp

This option adds removing tag regexp for ${tag} or __TAG__ in placeholder.

  • hostname_command

By default, execute command as hostname to get full hostname.
On your needs, it could override hostname command using hostname_command option.
It comes short hostname with hostname_command hostname -s configuration specified.

Placeholder Usage

It's a sample to rewrite a tag with placeholder.

# It will get "rewritten.access.ExampleMail"
<match apache.access>
  @type rewrite_tag_filter
  remove_tag_prefix apache
  <rule>
    key     domain
    pattern ^(mail)\.(example)\.com$
    tag     rewritten.${tag}.$2$1
  </rule>
</match>

# It will get "rewritten.access.ExampleMail"
<match apache.access>
  @type rewrite_tag_filter
  remove_tag_regexp /^apache\./
  <rule>
    key     domain
    pattern ^(mail)\.(example)\.com$
    tag     rewritten.${tag}.$2$1
  </rule>
</match>

# It will get "http.access.log"
<match input.{apache,nginx}.access.log>
  @type rewrite_tag_filter
  remove_tag_regexp /^input\.(apache|nginx)\./
  <rule>
    key     domain
    pattern ^.+$
    tag     http.${tag}
  </rule>
</match>

# It will get "rewritten.ExampleMail.app30-124.foo.com" when hostname is "app30-124.foo.com"
<match apache.access>
  @type rewrite_tag_filter
  <rule>
    key     domain
    pattern ^(mail)\.(example)\.com$
    tag     rewritten.$2$1.${hostname}
  </rule>
</match>

# It will get "rewritten.ExampleMail.app30-124" when hostname is "app30-124.foo.com"
<match apache.access>
  @type rewrite_tag_filter
  hostname_command hostname -s
  <rule>
    key     domain
    pattern ^(mail)\.(example)\.com$
    tag     rewritten.$2$1.${hostname}
  </rule>
</match>

# It will get "rewritten.game.pool"
<match app.game.pool.activity>
  @type rewrite_tag_filter
  <rule>
    key     domain
    pattern ^.+$
    tag     rewritten.${tag_parts[1]}.${tag_parts[2]}
  </rule>
</match>

Altering Labels

In addition to changing tags, you can also change event's route by setting the label for the re-emitted event.

For example, given this configuration:

<match apache.access>
  @type rewrite_tag_filter
  <rule>
    key     domain
    pattern ^www\.example\.com$
    tag     web.${tag}
  </rule>
  <rule>
    key     domain
    pattern ^(.*)\.example\.com$
    tag     other.$1
    label   other
  </rule>
</match>

message: {"domain": "www.example.com"} will get its tag changed to web.apache.access, while message {"domain": "api.example.com"} will get its tag changed to other.api and be sent to label other

Example

Related Articles

TODO

Pull requests are very welcome!!

Copyright

Copyright : Copyright (c) 2012- Kentaro Yoshida (@yoshi_ken)
License : Apache License, Version 2.0

More Repositories

1

fluentd

Fluentd: Unified Logging Layer (project under CNCF)
Ruby
12,329
star
2

fluent-bit

Fast and Lightweight Logs and Metrics processor for Linux, BSD, OSX and Windows
C
5,323
star
3

fluentd-kubernetes-daemonset

Fluentd daemonset for Kubernetes and it Docker image
Ruby
1,210
star
4

fluentd-ui

Web UI for Fluentd
Ruby
596
star
5

fluent-operator

Operate Fluent Bit and Fluentd in the Kubernetes way - Previously known as FluentBit Operator
Go
535
star
6

fluent-bit-kubernetes-logging

Fluent Bit Kubernetes Daemonset
466
star
7

fluentd-docker-image

Docker image for Fluentd
Dockerfile
452
star
8

fluent-logger-python

A structured logger for Fluentd (Python)
Python
424
star
9

fluent-logger-golang

A structured logger for Fluentd (Golang)
Go
380
star
10

helm-charts

Helm Charts for Fluentd and Fluent Bit
Mustache
355
star
11

fluent-plugin-s3

Amazon S3 input and output plugin for Fluentd
Ruby
308
star
12

fluent-plugin-kafka

Kafka input and output plugin for Fluentd
Ruby
298
star
13

fluentd-forwarder

Fluentd Forwarder: Lightweight Data Collector in Golang
Go
283
star
14

fluent-logger-node

A structured logger for Fluentd (Node.js)
JavaScript
257
star
15

fluent-plugin-prometheus

A fluent plugin that collects metrics and exposes for Prometheus.
Ruby
253
star
16

fluent-logger-ruby

A structured logger for Fluentd (Ruby)
Ruby
251
star
17

fluent-logger-php

A structured logger for Fluentd (PHP)
PHP
216
star
18

fluent-logger-java

A structured logger for Fluentd (Java)
Java
205
star
19

sigdump

Use signal to show stacktrace of a Ruby process without restarting it
Ruby
183
star
20

fluent-bit-go

Fluent Bit Golang package to build plugins
Go
173
star
21

fluent-plugin-mongo

MongoDB input and output plugin for Fluentd
Ruby
171
star
22

fluent-bit-docs

Fluent Bit - Official Documentation
Shell
119
star
23

fluent-plugin-grok-parser

Fluentd's Grok parser
Ruby
103
star
24

fluent-plugin-sql

SQL input/output plugin for Fluentd
Ruby
102
star
25

nginx-fluentd-module

Nginx module for Fluentd data collector
C
85
star
26

fluent-bit-docker-image

Docker image for Fluent Bit
Shell
67
star
27

fluent-plugin-webhdfs

Hadoop WebHDFS output plugin for Fluentd
Ruby
59
star
28

fluent-plugin-opensearch

OpenSearch Plugin for Fluentd
Ruby
49
star
29

fluentd-docs

This repository is deprecated. Go to fluentd-docs-gitbook repository.
Ruby
49
star
30

fluentd-benchmark

Benchmark collection of fluentd use cases
Shell
47
star
31

fluent-logger-scala

A structured logger implementation in Scala.
Shell
45
star
32

NLog.Targets.Fluentd

C#
44
star
33

fluent-logger-perl

A structured logger for Fluentd (Perl)
Perl
43
star
34

fluent-plugin-multiprocess

Multiprocess agent plugin for Fluentd
Ruby
42
star
35

fluentd-docs-gitbook

Fluentd documentation project in Gitbook format
JavaScript
41
star
36

fluent-plugin-splunk

Fluentd Plugin for Splunk
Ruby
38
star
37

fluent-plugin-parser-cri

CRI log parser for Fluentd
Ruby
32
star
38

fluent-bit-perf

Fluent Bit Performance Tools
C
31
star
39

fluent-plugin-windows-eventlog

Fluentd plugin to collect windows event logs
Ruby
31
star
40

fluent-plugin-flume

Flume input and output plugin for Fluentd
Ruby
23
star
41

kafka-connect-fluentd

Kafka Connect for Fluentd
Java
23
star
42

chunkio

Simple library to manage chunks of data in memory and file system
C
21
star
43

fluent-package-builder

td-agent (Fluentd) Building and Packaging System
Shell
21
star
44

fluent-plugin-scribe

Scribe input/output plugin for Fluentd data collector
Ruby
20
star
45

fluent-plugins

18
star
46

cmetrics

A standalone library to create and manipulate metrics in C
C
15
star
47

website

http://fluentd.org/
CSS
14
star
48

fluent-plugin-sanitizer

Ruby
14
star
49

fluent-bit-plugin

Fluent Bit Dynamic Plugin Development
C
13
star
50

fluent-bit-packaging

Fluent Bit Linux Packaging environment using Docker
Dockerfile
12
star
51

fluent-logger-forward-node

A fluent forward protocol implementation for Node.js
TypeScript
11
star
52

fluentd-website

For fluentd.org
CSS
10
star
53

fluent-logger-erlang

A structured logger for Fluentd (Erlang)
Erlang
10
star
54

fluent-plugin-msgpack-rpc

MessagePack-RPC input plugin for Fluentd data collector
Ruby
8
star
55

fluent-bit-ci

CI/CD for Fluent-bit
Shell
7
star
56

fluent-logger-ocaml

A structured logger for Fluentd (OCaml)
OCaml
7
star
57

fluent-plugin-hoop

Hoop (HDFS over HTTP) Plugin for Fluentd data collector
Ruby
6
star
58

data-collection

Data Collection with Fluentd
6
star
59

fluent-logger-d

A structured logger for Fluentd (D)
JavaScript
6
star
60

diagtool

Bringing productivity of trouble shooting to the next level by automating collection of Fluentd configurations, settings and OS parameters as well as masking sensitive information in logs and configurations.
Ruby
5
star
61

fluent-bit-tutorials

Fluent Bit Tutorials, custom articles to get started
5
star
62

m3-workshop-fluentcon

Shell
4
star
63

fluentbit-website-v3

CSS
4
star
64

fluent.github.com

website
JavaScript
4
star
65

fluentd-aggregator-docker-image

A Fluentd container image to be used for log aggregation and based on the official Fluentd Docker image.
Dockerfile
4
star
66

fluent-bit-observability-demo

JavaScript
3
star
67

fluent-bit-docs-stream-processing

Fluent Bit Stream Processing Guide
3
star
68

onigmo

Onigmo library with security and stable patches on top by Fluent maintainers
C
3
star
69

fluent-bit-website

Fluent Bit Website (work in process)
HTML
3
star
70

fluent-bit-test

Testing infrastructure for Fluent Bit
2
star
71

fluent-bit-labs

Fluent Bit Dev Labs
2
star
72

fluent-bit-website-old

Fluent Bit website
CSS
2
star
73

fluentbit-website-v2

Fluent Bit Website v2
CSS
2
star
74

fluent-plugin-buffer-chunkio

Ruby
2
star
75

fluent-bit-infra

Automation related to fluent-bit infrastructure
HCL
2
star
76

fluent-plugin-sd-dns

DNS based service discovery plugin for Fluentd
Ruby
2
star
77

fluent-plugin-parser-winevt_xml

Fluentd Parser plugin to parse XML rendered windows event log.
Ruby
1
star
78

cfl

Tiny library for data structures management, call it c:\ floppy
C
1
star
79

fluentd-docs-kubernetes

Fluentd DaemonSet Documentation for Kubernetes
1
star
80

fluent-bit-sandbox

A repository to covering the setup and configuration of the Fluent Bit Sandbox.
Shell
1
star
81

fluent-plugin-prometheus_pushgateway

Ruby
1
star
82

fluentd-website-hugo

SCSS
1
star
83

fluent-bit-chatops-demo

Demo of using Fluent Bit for ChatOps - created for Cloud Native Rejekts EU 2024 talk
Java
1
star
84

ctraces

Library to create and manipulate traces in C
C
1
star