Rewrite

Rewrite filters can be used to modify record contents. Logging operator currently supports the following rewrite functions:

• group_unset
• rename
• set
• substitute
• unset

Note: All rewrite functions support an optional condition which has the same syntax as the match filter.

Group unset

The group_unset function removes from the record a group of fields matching a pattern.

  filters:
  - rewrite:
    - group_unset:
        pattern: "json.kubernetes.annotations.*"

Rename

The rename function changes the name of an existing field name.

  filters:
  - rewrite:
    - rename:
        oldName: "json.kubernetes.labels.app"
        newName: "json.kubernetes.labels.app.kubernetes.io/name"

Set

The set function sets the value of a field.

  filters:
  - rewrite:
    - set:
        field: "json.kubernetes.cluster"
        value: "prod-us"

Substitute (subst)

The subst function replaces parts of a field with a replacement value based on a pattern.

  filters:
  - rewrite:
    - subst:
        pattern: "\d\d\d\d-\d\d\d\d-\d\d\d\d-\d\d\d\d"
        replace: "[redacted bank card number]"
        field: "MESSAGE"

The function also supports the type and flags fields for specifying pattern type and flags as described in the match expression regexp function.

Unset

You can unset macros or fields of the message.

Note: Unsetting a field completely deletes any previous value of the field.

  filters:
  - rewrite:
    - unset:
        field: "json.kubernetes.cluster"

Configuration

RewriteConfig

group_unset (*GroupUnsetConfig, optional)

Default: -

rename (*RenameConfig, optional)

Default: -

set (*SetConfig, optional)

Default: -

subst (*SubstituteConfig, optional)

Default: -

unset (*UnsetConfig, optional)

Default: -

RenameConfig

https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/78#TOPIC-1829213

oldName (string, required)

Default: -

newName (string, required)

Default: -

condition (*MatchExpr, optional)

Default: -

SetConfig

https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/77#TOPIC-1829207

field (string, required)

Default: -

value (string, required)

Default: -

condition (*MatchExpr, optional)

Default: -

SubstituteConfig

https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/77#TOPIC-1829206

pattern (string, required)

Default: -

replace (string, required)

Default: -

field (string, required)

Default: -

flags ([]string, optional)

Default: -

type (string, optional)

Default: -

condition (*MatchExpr, optional)

Default: -

UnsetConfig

https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/78#TOPIC-1829212

field (string, required)

Default: -

condition (*MatchExpr, optional)

Default: -

GroupUnsetConfig

https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/78#TOPIC-1829212

pattern (string, required)

Default: -

condition (*MatchExpr, optional)

Default: -