-
Notifications
You must be signed in to change notification settings - Fork 71
Implementing Filters
Osmany Montero edited this page Jan 16, 2026
·
1 revision
Filters are the building blocks of the data parsing pipeline. They transform raw, unstructured logs into standardized, structured objects ready for analysis.
A filter consists of a pipeline which contains one or more stages. Each stage matches specific dataTypes and executes a sequence of steps.
pipeline:
- dataTypes:
- wineventlog
steps:
- json:
source: raw
- rename:
from: [log.host.ip]
to: origin.ip-
Selection: When a log arrives, the parsing plugin matches it to a filter stage based on its
dataType. - Sequential Execution: Steps are executed in the exact order they appear in the YAML.
- State Management: Each step modifies the current "Draft" of the log. If a step fails, the pipeline may continue depending on the step type and error.
-
Standardization: The goal is to map vendor-specific fields (e.g.,
src_ip) to the common UTMStack schema (origin.ip).
Every step supports a where clause used to determine if the step should run:
- delete:
fields: [temporary_meta]
where: exists("action")Here is a high-level view of an Apache parsing pipeline:
- JSON Parse: Extract structured metadata from the raw entry.
- Rename: Map Apache fields to UTMStack standards.
- Grok Patterns: Extract IP, User, and Path from the message string.
-
Enrichment: Add Geolocation using the
dynamicplugin. -
Normalization: Map HTTP status codes to standardized actions (e.g.,
accepted,denied).
For a detailed list of all available operations, see the Filter Steps Reference.