Rewrite

Rewrite filters can be used to modify record contents. Logging operator currently supports the following rewrite functions:

group_unset
rename
set
substitute
unset

Note: All rewrite functions support an optional condition which has the same syntax as the match filter.

For details on how rewrite rules work in syslog-ng, see the documentation of the AxoSyslog syslog-ng distribution.

Group unset

The group_unset function removes from the record a group of fields matching a pattern.

  filters:
  - rewrite:
    - group_unset:
        pattern: "json.kubernetes.annotations.*"

For details, see the documentation of the AxoSyslog syslog-ng distribution.

Rename

The rename function changes the name of an existing field name.

  filters:
  - rewrite:
    - rename:
        oldName: "json.kubernetes.labels.app"
        newName: "json.kubernetes.labels.app.kubernetes.io/name"

For details, see the documentation of the AxoSyslog syslog-ng distribution.

Set

The set function sets the value of a field.

  filters:
  - rewrite:
    - set:
        field: "json.kubernetes.cluster"
        value: "prod-us"

For details, see the documentation of the AxoSyslog syslog-ng distribution.

Substitute (subst)

The subst function replaces parts of a field with a replacement value based on a pattern.

  filters:
  - rewrite:
    - subst:
        pattern: "\d\d\d\d-\d\d\d\d-\d\d\d\d-\d\d\d\d"
        replace: "[redacted bank card number]"
        field: "MESSAGE"

The function also supports the type and flags fields for specifying pattern type and flags as described in the match expression regexp function.

For details, see the documentation of the AxoSyslog syslog-ng distribution.

Unset

You can unset macros or fields of the message.

Note: Unsetting a field completely deletes any previous value of the field.

  filters:
  - rewrite:
    - unset:
        field: "json.kubernetes.cluster"

For details, see the documentation of the AxoSyslog syslog-ng distribution.

Configuration

RewriteConfig

group_unset (*GroupUnsetConfig, optional)

rename (*RenameConfig, optional)

set (*SetConfig, optional)

subst (*SubstituteConfig, optional)

unset (*UnsetConfig, optional)

RenameConfig

For details, see the documentation of the AxoSyslog syslog-ng distribution.

condition (*MatchExpr, optional)

newName (string, required)

oldName (string, required)

SetConfig

For details, see the documentation of the AxoSyslog syslog-ng distribution.

condition (*MatchExpr, optional)

field (string, required)

value (string, required)

SubstituteConfig

For details, see the documentation of the AxoSyslog syslog-ng distribution.

condition (*MatchExpr, optional)

field (string, required)

flags ([]string, optional)

pattern (string, required)

replace (string, required)

type (string, optional)

UnsetConfig

For details, see the documentation of the AxoSyslog syslog-ng distribution.

condition (*MatchExpr, optional)

field (string, required)

GroupUnsetConfig

For details, see the documentation of the AxoSyslog syslog-ng distribution.

condition (*MatchExpr, optional)

pattern (string, required)

Last modified June 3, 2024: [4.6] Blog link fix (cc4602a)