Regex Filter

Filter Cribl Compatible

Synopsis

Filters out events based on regular expression matches.

Schema

regex_filter:
  - field: <ident>
  - regex: <string>
  - regexes: <string[]>
  - description: <text>
  - if: <script>
  - ignore_failure: <boolean>
  - ignore_missing: <boolean>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - tag: <string>

Configuration

Field	Required	Default	Description
`field`	Y	-	Field to match against patterns
`regex`	N	-	Single regex pattern to match
`regexes`	N	-	Additional patterns to match
`description`	N	-	Explanatory note
`if`	N	-	Condition to run
`ignore_failure`	N	`false`	Continue if matching fails
`ignore_missing`	N	`false`	Continue if source field doesn't exist
`on_failure`	N	-	See Handling Failures
`on_success`	N	-	See Handling Success
`tag`	N	-	Identifier

Details

The processor uses Golang regular expressions to match field content.

If either the primary regex or any pattern in regexes matches, the event is dropped from the pipeline. This is useful for filtering out unwanted events.

Multiple patterns can be specified, and any match will trigger the filter.

caution

Complex regular expressions may impact performance.

The processor can be nicely dove-tailed with conditional execution, field value validation, and error handling and success/failure processors.

If no patterns are specified, all events pass through. Empty field content is treated as non-matching. Matching success triggers event dropping.

warning

Invalid regex patterns and non-string field values will cause errors unless ignore_failure is set. Missing fields can be skipped by setting ignore_missing.

Examples

Basic

Messages containing errors...	`{ "message": "error occurred" }` `regex_filter: - field: message - regex: "error.*"`
are dropped when the event matches:	`Event dropped from pipeline`

Multi-Pattern

Filtering out both errors and warnings...	`{ "message": "warning: system overload" }` `regex_filter: - field: message - regexes: - "error." - "warning."`
drops both the warning and the event:	`Event dropped from pipeline`

Non-Matching Event

Allowing non-matching messages through...	`{ "message": "success message" }` `regex_filter: - field: message - regex: "error.*"`
lets the event to continue:	`{ "message": "success message" }`

Conditionals

Filtering only when a condition is met...	`{ "message": "error message", "level": "info" }` `regex_filter: - if: "ctx.level == 'error'" - field: message - regex: "error.*"`
skips the event upon match:	`{ "message": "error message", "level": "info" }`

Missing Fields

Handling missing fields gracefully...	`{}` `regex_filter: - field: nonexistent - regex: "error.*" - ignore_missing: true`
continues the execution:	`{}`

Non-String Fields

Handling non-string field values...	`{ "message": 123 }` `regex_filter: - field: message - regex: "error.*" - ignore_failure: true`
skips filtering upon invalid types:	`{ "message": 123 }`

Synopsis​

Schema​

Configuration​

Details​

Examples​

Basic​

Multi-Pattern​

Non-Matching Event​

Conditionals​

Missing Fields​

Non-String Fields​