Update filters to FilterX

The following sections show you how you can change your existing filters and rewrite rules to FilterX statements. Note that:

Many examples in the FilterX documentation were adapted from the existing filter, parser, and rewrite examples to show how you can achieve the same functionality with FilterX.
Don’t worry if you can’t update something to FilterX. While you can’t use other blocks within a FilterX block, you can use both in a log statement, for example, you can use a FilterX block, then a parser if needed.
There is no push to use FilterX. You can keep using the traditional blocks if they satisfy your requirements.

Update filters to FilterX

This section shows you how to update your existing filter expressions to filterx.

You can replace most filter functions with a simple value comparison of the appropriate macro, for example:

facility(user) with ${FACILITY} == "user"
host("example-host") with ${HOST} == "example-host"
level(warning) with ${LEVEL} == "warning"

If you want to check for a range of levels, use numerical comparison with the ${LEVEL_NUM} macro instead. For a list of numerical level values, see LEVEL_NUM.
message("example") with ${MESSAGE} =~ "example" (see the equal tilde operator for details)
program(nginx) with ${PROGRAM} == "nginx"
source(my-source) with ${SOURCE} == "my-source"

You can compare values and use boolean operators similarly to filters.

Since all FilterX statements must match a message to pass the FilterX block, you can often replace complex boolean filter expressions with multiple, simple FilterX statements. For example, consider the following filter statement:

filter { host("example1") and program("nginx"); };

The following is the same FilterX statement:

filterx { ${HOST} == "example1" and ${PROGRAM} == "nginx"; };

which is equivalent to:

filterx {
    ${HOST} == "example1";
    ${PROGRAM} == "nginx";
};

The following filter functions have no equivalents in FilterX yet:

The filter() filter function. You can’t call a FilterX block from another FilterX block, but you can access name-value pairs and pass variables from multiple FilterX blocks.
netmask() and netmask6()
inlist()
rate-limit()
tags()

Update rewrite rules

This section shows you how to update your existing rewrite expressions to filterx.

You can replace most rewrite rules with FilterX functions and value assignments, for example:

rewrite{subst()} with the regexp_subst FilterX function
rewrite{set()} with value assignments
rewrite{unset()} with the unset FilterX function
rewrite{rename()} with assigning a value to the new field, then using the unset function on the old field

Last modified December 18, 2024: Merge pull request #90 from axoflow/minor-fixes-241218 (68cd7df)