This section describes the filter use cases.
Filtering Use Cases
Level
To filter logs by level, use the following syntax. The log level is stored in the level attribute and accessed as attributes["level"].
Example 1: Drop Debug-level logs
Logs:
enable: true
filter:
log_record:
- 'attributes["level"] == "Debug"'This filter drops any log entry whose level attribute equals Debug. level has following values Emergency,Alert, Critical, Error, Warn, Notice, Info, Debug, Unknown
Example 2: Drop Info or Warn logs (OR behavior)Option 1 — separate list entries (OR behavior):
Logs:
enable: true
filter:
log_record:
- 'attributes["level"] == "Info"'
- 'attributes["level"] == "Warn"'Option 2 — a single condition with or:
Logs:
enable: true
filter:
log_record:
- 'attributes["level"] == "Warn" or attributes["level"] == "Info"'IP Address
To filter logs by IP addresses, use the syntax below. These are captured on the resource object under resource.attributes["ipaddress"]: the string value holds the source host’s IPv4 or IPv6 address (e.g., "<172.26.26.20>").
Example 1: Drop logs from an IP range
Logs:
enable: true
filter:
log_record:
- 'IsMatch(resource.attributes["ipaddress"], "^172\\.26\\.\\d{1,3}\\.\\d{1,3}$")'Drops logs whose ipaddress matches the regex^172\.26\.\d{1,3}\.\d{1,3}$ (the 172.26.x.x range).
IsMatch(target, pattern) uses Go’s regexp.MatchString semantics.
Example 2: Drop logs from a single IP
Logs:
enable: true
filter:
log_record:
- 'resource.attributes["ipaddress"] == "172.26.26.20"'Drops all logs whose ipaddress == “172.26.26.20”.
Priority
To filter logs by priority, use the numeric value stored in the priority attribute and access it as attributes["priority"]. This lets you drop logs with one specific priority or any logs whose priority falls within a numeric range.
Example 1: Drop logs with a single priority
Logs:
enable: true
filter:
log_record:
- 'attributes["priority"] == 13'Example 2: Drop logs in a priority range
Logs:
enable: true
filter:
log_record:
- 'attributes["priority"] >= 10 and attributes["priority"] <= 15'Drops logs where priority is between 10 and 15 (inclusive).
Facility
To filter logs by facility, use the numeric value stored in the facility attribute and access it as attributes["facility"]. This lets you drop logs with one specific facility or any logs whose facility falls within a numeric range.
Example 1: Drop logs with a specific facility
Logs:
enable: true
filter:
log_record:
- 'attributes["facility"] == 1'Drops logs where facility == 1.
Example 2: Drop logs in a facility range
Logs:
enable: true
filter:
log_record:
- 'attributes["facility"] >= 16 and attributes["facility"] <= 23'Message
To filter logs by message content, use the text stored in body. This lets you drop logs that match an exact message, contain a specific substring, or match a regular expression pattern
Example 1: Drop logs with an exact message
Logs:
enable: true
filter:
log_record:
- 'body == "RFC3164 syslog sent over UDP"'Example 2: Drop logs where the message matches a regex
Logs:
enable: true
filter:
log_record:
- 'IsMatch(body, ".*RFC3164.*")'Recommended Logs Filter Configuration
All conditions for logs sit in one filter: block.
Each list entry is OR’d.Drop if:
- level is Debug, or
- IP is in 172.26.x.x, or
- priority is 13, or
- facility is 1, or
- message contains RFC3164
Logs:
enable: true
filter:
log_record:
- 'attributes["level"] == "Debug"'
- 'IsMatch(resource.attributes["ipaddress"], "^172\\.26\\.\\d{1,3}\\.\\d{1,3}$")'
- 'attributes["priority"] == 13'
- 'attributes["facility"] == 1'
- 'IsMatch(body, ".*RFC3164.*")'Require multiple conditions (use and)
Drop only if both level and IP match::
Logs:
enable: true
filter:
log_record:
- 'attributes["level"] == "Debug" and resource.attributes["ipaddress"] == "172.26.26.20"'