Conditional processing lets you selectively apply processors to logs based on the value of fields that those logs contain. This feature lets you create processing pipelines that only process records that meet certain criteria, and ignore the rest.
Conditional processing is available in Fluent Bit version 4.0 and greater.
You can turn a standard processor into a conditional processor by adding a
condition block to the processor's YAML configuration settings.
{% hint style="info" %} Conditional processing is only available for YAML configuration files, not classic configuration files. {% endhint %}
These condition blocks use the following syntax:
pipeline:
inputs:
<...>
processors:
logs:
- name: {processor_name}
<...>
condition:
op: {and|or}
rules:
- field: {field_name1}
op: {comparison_operator}
value: {comparison_value1}
- field: {field_name2}
op: {comparison_operator}
value: {comparison_value2}
<...>Each processor can only have a single condition block, but that condition can
include multiple rules. These rules are stored as items in the condition.rules
array.
The condition.op parameter specifies the condition's evaluation logic. It has
two possible values:
and: A log entry meets this condition when all of the rules in thecondition.rulesare truthy.or: A log entry meets this condition when one or more rules in thecondition.rulesarray are truthy.
Each item in the condition.rules array must include values for the following parameters:
| Parameter | Description |
|---|---|
field |
The field within your logs to evaluate. The value of this parameter must use the correct syntax to access the fields inside logs. |
op |
The comparison operator to evaluate whether the rule is true. This parameter (condition.rules.op) is distinct from the condition.op parameter and has different possible values. |
value |
The value of the specified log field to use in your comparison. Optionally, you can provide an array that contains multiple values. |
Rules are evaluated against each log that passes through your data pipeline. For example, given a rule with these parameters:
- field: "$status"
op: eq
value: 200
This rule evaluates to true for a log that contains the string 'status':200, but evaluates to false for a log that contains the string 'status':403.
The conditions.rules.field parameter uses record accessor syntax to reference fields inside logs.
You can use $field syntax to access a top-level field, and $field['child']['subchild'] to access nested fields.
The conditions.rules.op parameter has the following possible values:
eq: equal toneq: not equal togt: greater thanlt: less thangte: greater than or equal tolte: less than or equal toregex: matches a regular expressionnot_regex: does not match a regular expressionin: is included in the specified arraynot_in: is not included in the specified array
This example applies a condition that only processes logs that contain the
string {"request": {"method": "POST":
pipeline:
inputs:
- name: dummy
dummy: '{"request": {"method": "GET", "path": "/api/v1/resource"}}'
tag: request.log
processors:
logs:
- name: content_modifier
action: insert
key: modified_if_post
value: true
condition:
op: and
rules:
- field: "$request['method']"
op: eq
value: "POST"This example applies a condition that only processes logs when all of the specified rules are met:
pipeline:
inputs:
- name: dummy
dummy: '{"request": {"method": "POST", "path": "/api/v1/sensitive-data"}}'
tag: request.log
processors:
logs:
- name: content_modifier
action: insert
key: requires_audit
value: true
condition:
op: and
rules:
- field: "$request['method']"
op: eq
value: "POST"
- field: "$request['path']"
op: regex
value: "\/sensitive-.*"This example applies a condition that only processes logs when one or more of the specified rules are met:
pipeline:
inputs:
- name: dummy
dummy: '{"request": {"method": "GET", "path": "/api/v1/resource", "status_code": 200, "response_time": 150}}'
tag: request.log
processors:
logs:
- name: content_modifier
action: insert
key: requires_performance_check
value: true
condition:
op: or
rules:
- field: "$request['response_time']"
op: gt
value: 100
- field: "$request['status_code']"
op: gte
value: 400This example uses an array for the value of condition.rules.value:
pipeline:
inputs:
- name: dummy
dummy: '{"request": {"method": "GET", "path": "/api/v1/resource"}}'
tag: request.log
processors:
logs:
- name: content_modifier
action: insert
key: high_priority_method
value: true
condition:
op: and
rules:
- field: "$request['method']"
op: in
value: ["POST", "PUT", "DELETE"]This example uses multiple processors with conditional processing enabled for each:
pipeline:
inputs:
- name: dummy
dummy: '{"log": "Error: Connection refused", "level": "error", "service": "api-gateway"}'
tag: app.log
processors:
logs:
- name: content_modifier
action: insert
key: alert
value: true
condition:
op: and
rules:
- field: "$level"
op: eq
value: "error"
- field: "$service"
op: in
value: ["api-gateway", "authentication", "database"]
- name: content_modifier
action: insert
key: paging_required
value: true
condition:
op: and
rules:
- field: "$log"
op: regex
value: "(?i)(connection refused|timeout|crash)"
- field: "$level"
op: in
value: ["error", "fatal"]This configuration adds an alert field to error logs from critical services,
and adds a paging_required field to errors that contain specific critical patterns.