All Products
Search
Document Center

Simple Log Service:CreateLogtailPipelineConfig

Last Updated:Apr 02, 2026

Creates a Logtail pipeline configuration.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

log:CreateLogtailPipelineConfig

create

*All Resource

*

  • log:TLSVersion
None

Request syntax

POST /pipelineconfigs HTTP/1.1

Request parameters

Parameter

Type

Required

Description

Example

project

string

Yes

The name of the project.

test-project

body

object

No

The content of the Logtail pipeline configuration.

configName

string

Yes

The name of the configuration.

Note

The configuration name must be unique within the project and cannot be modified after the configuration is created. The name must follow these rules:

  • It can contain only lowercase letters, digits, hyphens (-), and underscores (_).

  • It must start and end with a lowercase letter or a digit.

  • It must be 2 to 128 characters in length.

test-config

logSample

string

No

A sample log. Multiple log entries are supported.

2022-06-14 11:13:29.796 | DEBUG | __main__::1 - hello world

global

object

No

The global configuration.

inputs

array<object>

Yes

The list of input plugins.

Important Currently, you can configure only one input plugin.

object

No

The input plugin.

Note

For information about the parameters of the file input plugin, see File plugin. For information about the parameters of other input plugins, see Processing plugins.

{ "Type": "input_file", "FilePaths": ["/var/log/*.log"] }

processors

array<object>

No

The list of processing plugins.

Note

Processing plugins are classified into native processing plugins and extension processing plugins. For more information, see Processing plugins.

Important
Note
  • Native plugins can be used only to collect text logs.

  • You cannot add native plugins and extension plugins at the same time.

  • When you use native plugins, the following requirements must be met:
    • The first processing plugin must be a regular expression-based parsing plugin, a separator-based parsing plugin, a JSON-based parsing plugin, an NGINX-based parsing plugin, an Apache-based parsing plugin, or an IIS-based parsing plugin.

    • After the first processing plugin, you can add only one time parsing processing plugin, one filter plugin, and multiple data masking plugins.

object

No

The processing plugin.

Note

For more information about native and extension processing plugins, see Processing plugins.

{ "Type": "processor_parse_json_native", "SourceKey": "content" }

aggregators

array<object>

No

The list of aggregation plugins.

Important This parameter is valid only when you use extension processing plugins. You can use a maximum of one aggregation plugin.

object

No

The aggregation plugin.

flushers

array<object>

Yes

The list of output plugins.

Important Currently, you can add only one flusher_sls plugin.

object

No

The output plugin.

{ "Type": "flusher_sls", "Logstore": "test" }

task

object

No

The task configuration.

Global configuration

Parameter Type Required Default value Example Description
TopicType string No None filepath The topic type. Valid values:
  • filepath: extracts information from the log file path as the topic. This value is valid only when the input plugin is input_file.

  • machine_group_topic: uses the topic of the machine group to which the configuration is applied.

  • custom: a custom topic. For more information, see Log topic.

TopicFormat string No. This parameter is required if you set TopicType to filepath or custom. / /var/log/(.*).log The topic format.
EnableTimestampNanosecond bool No false false Specifies whether to enable nanosecond precision for timestamps.
PipelineMetaTagKey object No None {"HOST_NAME":"__hostname__"}
Important This parameter is supported only by LoongCollector 3.0.10 and later.
Controls the tags related to LoongCollector information. The key is the tag parameter name, and the value is the field name of the tag in the log. If you set the value to __default__, the default value is used. If you set the value to an empty string, the tag is deleted. The following tags can be configured:
  • HOST_NAME: the hostname. This tag is added by default. The default value is "__hostname__".

  • AGENT_TAG: the custom identifier. This tag is added by default. The default value is "__user_defined_id__".

  • HOST_ID: the host ID. This tag is not added by default. The default value is "__host_id__".

  • CLOUD_PROVIDER: This tag is not added by default. The default value is "__cloud_provider__".

Input plugins

File input plugin

Parameter Type Required Default value Example Description
Type string Yes / input_file The plugin type. Set the value to input_file.
FilePaths [string] Yes / ["/var/log/*.log"] The paths of the log files that you want to collect. Currently, only one path is supported. You can use the wildcard characters (*) and (**) in the path. The double-asterisk (**) wildcard character can appear only once and can be used only before the file name.
MaxDirSearchDepth uint No 0 0 The maximum depth of the directories that are matched by the double-asterisk (**) wildcard character in a file path. This parameter is valid only when a file path contains the double-asterisk (**) wildcard character. Valid values: 0 to 1000.
ExcludeFilePaths [string] No None ["/home/admin/*.log"] The blacklist of file paths. The paths must be absolute paths. The wildcard character (*) is supported.
ExcludeFiles [string] No None ["app*.log", "password"] The blacklist of file names. The wildcard character (*) is supported.
ExcludeDirs [string] No None ["/home/admin/dir1", "/home/admin/dir2*"] The blacklist of directories. The paths must be absolute paths. The wildcard character (*) is supported.
FileEncoding string No utf8 utf8 The encoding format of the file. Valid values: utf8 and gbk.
TailSizeKB uint No 1024 1024 The size of the data to be collected from the end of a file when the configuration is applied for the first time. If the file size is smaller than the specified value, data is collected from the beginning of the file. Unit: KB. Valid values: 0 to 10485760.
Multiline object No None / The multiline log aggregation options.
Multiline.Mode string No custom custom The multiline log aggregation mode. Valid values: custom and JSON.
Multiline.StartPattern string Required if Multiline.Mode is set to custom None \d+-\d+-\d+.* The regular expression to match the first line of a multiline log.
EnableContainerDiscovery bool No false true Specifies whether to enable container discovery. This parameter is valid only when Logtail runs in DaemonSet mode and the collection path is a path within a container.
ContainerFilters object No None / The container filtering options. Multiple options are combined using the AND operator. This parameter is valid only if you set EnableContainerDiscovery to true.
ContainerFilters.K8sNamespaceRegex string No None default For containers in a Kubernetes environment, specifies the namespace of the pods where the containers to be collected reside. If you do not specify this parameter, all containers are collected. Regular expressions are supported.
ContainerFilters.K8sPodRegex string No None test-pod For containers in a Kubernetes environment, specifies the names of the pods where the containers to be collected reside. If you do not specify this parameter, all containers are collected. Regular expressions are supported.
ContainerFilters.IncludeK8sLabel map No None / For containers in a Kubernetes environment, specifies the labels of the pods where the containers to be collected reside. Multiple conditions are combined using the OR operator. If you do not specify this parameter, all containers are collected. Regular expressions are supported. The key in the map is the pod label name, and the value is the pod label value. The following rules apply:
  • If the value in the map is empty, pods that contain the key are matched.

  • If the value in the map is not empty:
    • If the value starts with ^ and ends with $, pods that have a label name matching the key and a label value matching the regular expression are matched.

    • In other cases, pods that have a label name matching the key and a label value matching the value are matched.

ContainerFilters.ExcludeK8sLabel map No None / For containers in a Kubernetes environment, specifies the labels of the pods where the containers to be excluded reside. Multiple conditions are combined using the OR operator. If you do not specify this parameter, all containers are collected. Regular expressions are supported. The key in the map is the pod label name, and the value is the pod label value. The following rules apply:
  • If the value in the map is empty, pods that contain the key are matched.

  • If the value in the map is not empty:
    • If the value starts with ^ and ends with $, pods that have a label name matching the key and a label value matching the regular expression are matched.

    • In other cases, pods that have a label name matching the key and a label value matching the value are matched.

ContainerFilters.K8sContainerRegex string No None test-container For containers in a Kubernetes environment, specifies the names of the containers to be collected. If you do not specify this parameter, all containers are collected. Regular expressions are supported.
ContainerFilters.IncludeEnv map No None / The environment variables of the containers to be collected. Multiple conditions are combined using the OR operator. If you do not specify this parameter, all containers are collected. Regular expressions are supported. The key in the map is the environment variable name, and the value is the environment variable value. The following rules apply:
  • If the value in the map is empty, containers whose environment variables contain the key are matched.

  • If the value in the map is not empty:
    • If the value starts with ^ and ends with $, containers that have an environment variable name matching the key and an environment variable value matching the regular expression are matched.

    • In other cases, containers that have an environment variable name matching the key and an environment variable value matching the value are matched.

ContainerFilters.ExcludeEnv map No None / The environment variables of the containers to be excluded. Multiple conditions are combined using the OR operator. If you do not specify this parameter, all containers are collected. Regular expressions are supported. The key in the map is the environment variable name, and the value is the environment variable value. The following rules apply:
  • If the value in the map is empty, containers whose environment variables contain the key are matched.

  • If the value in the map is not empty:
    • If the value starts with ^ and ends with $, containers that have an environment variable name matching the key and an environment variable value matching the regular expression are matched.

    • In other cases, containers that have an environment variable name matching the key and an environment variable value matching the value are matched.

ContainerFilters.IncludeContainerLabel map No None / The labels of the containers to be collected. Multiple conditions are combined using the OR operator. If you do not specify this parameter, the default value is empty, which indicates that all containers are collected. Regular expressions are supported. The key in the map is the container label name, and the value is the container label value. The following rules apply:
  • If the value in the map is empty, containers that contain the key are matched.

  • If the value in the map is not empty:
    • If the value starts with ^ and ends with $, containers that have a label name matching the key and a label value matching the regular expression are matched.

    • In other cases, containers that have a label name matching the key and a label value matching the value are matched.

ContainerFilters.ExcludeContainerLabel map No None / The labels of the containers to be excluded. Multiple conditions are combined using the OR operator. If you do not specify this parameter, the default value is empty, which indicates that all containers are collected. Regular expressions are supported. The key in the map is the container label name, and the value is the container label value. The following rules apply:
  • If the value in the map is empty, containers that contain the key are matched.

  • If the value in the map is not empty:
    • If the value starts with ^ and ends with $, containers that have a label name matching the key and a label value matching the regular expression are matched.

    • In other cases, containers that have a label name matching the key and a label value matching the value are matched.

ExternalK8sLabelTag map No None / For containers in a Kubernetes environment, specifies the pod label-related tags that you want to add to logs. The key in the map is the pod label name, and the value is the corresponding tag name. For example, if you add app: k8s_label_app to the map and a pod contains the app=serviceA label, the information is added to the log as a tag. The added field is __tag__:k8s_label_app: serviceA. If the pod does not contain the app label, the empty field __tag__:k8s_label_app: is added.
ExternalEnvTag map No None / For containers in a Kubernetes environment, specifies the container environment variable-related tags that you want to add to logs. The key in the map is the environment variable name, and the value is the corresponding tag name. For example, if you add VERSION: env_version to the map and a container has the VERSION=v1.0.0 environment variable, the information is added to the log as a tag. The added field is __tag__:env_version: v1.0.0. If the container does not have the VERSION environment variable, the empty field __tag__:env_version: is added.
CollectingContainersMeta bool No false true Specifies whether to enable container metadata preview.
AppendingLogPositionMeta bool No false false Specifies whether to add the metadata of the file to which the log belongs. The metadata includes the __tag__:__inode__ field and the __file_offset__ field.
AllowingIncludedByMultiConfigs bool No false false Specifies whether to allow the current configuration to collect files that are matched by other configurations.
Tags object No None {"FileInodeTagKey":"__inode__"}
Important This parameter is supported only by LoongCollector 3.0.10 and later.
Controls the tags related to file collection. The key is the tag parameter name, and the value is the field name of the tag in the log. If you set the value to __default__, the default value is used. If you set the value to an empty string, the tag is deleted. The following tags can be configured:
  • FileInodeTagKey: the inode of the file. This tag is not added by default. The default value is "__inode__".

  • FilePathTagKey: the file path. This tag is added by default. The default value is "__path__".

The following parameters are valid only if you set the EnableContainerDiscovery parameter to true.
  • K8sNamespaceTagKey: the namespace of the container in which the file is located. This tag is added by default. The default value is "_namespace_".

  • K8sPodNameTagKey: the name of the pod in which the file is located. This tag is added by default. The default value is "_pod_name_".

  • K8sPodUidTagKey: the UID of the pod in which the file is located. This tag is added by default. The default value is "_pod_uid_".

  • ContainerNameTagKey: the name of the container in which the file is located. This tag is added by default. The default value is "_container_name_".

  • ContainerIpTagKey: the IP address of the container in which the file is located. This tag is added by default. The default value is "_container_ip_".

  • ContainerImageNameTagKey: the image of the container in which the file is located. This tag is added by default. The default value is "_image_name_".

FileOffsetKey string No None __file_offset__
Important This parameter is supported only by LoongCollector 3.0.10 and later.
The tag for the position of the log in the file. This tag is not added by default. The default value is __file_offset__. If you set the value to __default__, the default value is used. If you set the value to an empty string, the tag is deleted. If the AppendingLogPositionMeta parameter and the Tags.FileInodeTagKey or FileOffsetKey parameter are specified at the same time, the AppendingLogPositionMeta parameter is ignored.

Container stdout (legacy)

Parameter Type Required Default value Example Description
Type string Yes / service_docker_stdout The plugin type. Set the value to service_docker_stdout.
Stdout Boolean No true true Specifies whether to collect stdout.
Stderr Boolean No true true Specifies whether to collect stderr.
StartLogMaxOffset Integer No 128×1024 131072 The length of historical data to be collected for the first time. Unit: bytes. We recommend that you set this parameter to a value between 131072 and 1048576.
IncludeLabel Map, where LabelKey and LabelValue are of the String type No None

The whitelist of container labels. This parameter specifies the containers from which you want to collect logs. By default, this parameter is left empty, which indicates that the standard output of all containers is collected. If you want to configure a whitelist of container labels, you must specify LabelKey. LabelValue is optional.

  • If LabelValue is empty, containers whose labels contain LabelKey are matched.

  • If LabelValue is not empty, only containers whose labels contain LabelKey=LabelValue are matched.

    By default, LabelValue is used for string matching. A match is found only if LabelValue is identical to the value of a container label. If the value starts with ^ and ends with $, it is used for regular expression matching. For example, if you set LabelKey to io.kubernetes.container.name and LabelValue to ^(nginx|cube)$, containers named nginx and cube are matched.

Multiple whitelists are combined using the OR operator. A container is matched if its label meets the condition in any of the whitelists.

ExcludeLabel Map, where LabelKey and LabelValue are of the String type No None

The blacklist of container labels. This parameter specifies the containers that you want to exclude. By default, this parameter is left empty, which indicates that no containers are excluded. If you want to configure a blacklist of container labels, you must specify LabelKey. LabelValue is optional.

  • If LabelValue is empty, containers whose labels contain LabelKey are excluded.

  • If LabelValue is not empty, only containers whose labels contain LabelKey=LabelValue are excluded.

    By default, LabelValue is used for string matching. A match is found only if LabelValue is identical to the value of a container label. If the value starts with ^ and ends with $, it is used for regular expression matching. For example, if you set LabelKey to io.kubernetes.container.name and LabelValue to ^(nginx|cube)$, containers named nginx and cube are matched.

Multiple blacklists are combined using the OR operator. A container is excluded if its label meets the condition in any of the blacklists.

IncludeEnv Map, where EnvKey and EnvValue are of the String type No None

The whitelist of environment variables. This parameter specifies the containers from which you want to collect logs. By default, this parameter is left empty, which indicates that the standard output of all containers is collected. If you want to configure a whitelist of environment variables, you must specify EnvKey. EnvValue is optional.

  • If EnvValue is empty, containers whose environment variables contain EnvKey are matched.

  • If EnvValue is not empty, only containers whose environment variables contain EnvKey=EnvValue are matched.

    By default, EnvValue is used for string matching. A match is found only if EnvValue is identical to the value of an environment variable. If the value starts with ^ and ends with $, it is used for regular expression matching. For example, if you set EnvKey to NGINX_SERVICE_PORT and EnvValue to `^(80

ExcludeEnv Map, where EnvKey and EnvValue are of the String type No None

The blacklist of environment variables. This parameter specifies the containers that you want to exclude. By default, this parameter is left empty, which indicates that no containers are excluded. If you want to configure a blacklist of environment variables, you must specify EnvKey. EnvValue is optional.

  • If EnvValue is empty, logs from containers whose environment variables contain EnvKey are excluded.

  • If EnvValue is not empty, only containers whose environment variables contain EnvKey=EnvValue are excluded.

    By default, EnvValue is used for string matching. A match is found only if EnvValue is identical to the value of an environment variable. If the value starts with ^ and ends with $, it is used for regular expression matching. For example, if you set EnvKey to NGINX_SERVICE_PORT and EnvValue to ^(80|6379)$, containers whose service ports are 80 and 6379 are matched.

Multiple blacklists are combined using the OR operator. A container is excluded if its environment variable meets the condition in any of the key-value pairs.

IncludeK8sLabel Map, where LabelKey and LabelValue are of the String type No None

The whitelist of Kubernetes labels (defined in template.metadata). This parameter specifies the containers from which you want to collect logs. If you want to configure a whitelist of Kubernetes labels, you must specify LabelKey. LabelValue is optional.

  • If LabelValue is empty, containers whose Kubernetes labels contain LabelKey are matched.

  • If LabelValue is not empty, only containers whose Kubernetes labels contain LabelKey=LabelValue are matched.

    By default, LabelValue is used for string matching. A match is found only if LabelValue is identical to the value of a Kubernetes label. If the value starts with ^ and ends with $, it is used for regular expression matching. For example, if you set LabelKey to app and LabelValue to ^(test1|test2)$, containers whose Kubernetes labels contain app:test1 or app:test2 are matched.

Multiple whitelists are combined using the OR operator. A container is matched if its Kubernetes label meets the condition in any of the whitelists.

ExcludeK8sLabel Map, where LabelKey and LabelValue are of the String type No None

The blacklist of Kubernetes labels (defined in template.metadata). This parameter specifies the containers that you want to exclude. If you want to configure a blacklist of Kubernetes labels, you must specify LabelKey. LabelValue is optional.

  • If LabelValue is empty, containers whose Kubernetes labels contain LabelKey are excluded.

  • If LabelValue is not empty, only containers whose Kubernetes labels contain LabelKey=LabelValue are excluded.

    By default, LabelValue is used for string matching. A match is found only if LabelValue is identical to the value of a Kubernetes label. If the value starts with ^ and ends with $, it is used for regular expression matching. For example, if you set LabelKey to app and LabelValue to ^(test1|test2)$, containers whose Kubernetes labels contain app:test1 or app:test2 are matched.

Multiple blacklists are combined using the OR operator. A container is excluded if its Kubernetes label meets the condition in any of the blacklists.

K8sNamespaceRegex String No None ^(default|nginx)$ The namespace based on which you want to collect logs from containers. Regular expressions are supported. For example, if you set this parameter to ^(default|nginx)$, all containers in the nginx and default namespaces are matched.
K8sPodRegex String No None ^(nginx-log-demo.*)$ The pod name based on which you want to collect logs from containers. Regular expressions are supported. For example, if you set this parameter to ^(nginx-log-demo.*)$, all containers in pods whose names start with nginx-log-demo are matched.
K8sContainerRegex String No None ^(container-test)$ The container name based on which you want to collect logs. The Kubernetes container name is defined in spec.containers. Regular expressions are supported. For example, if you set this parameter to ^(container-test)$, all containers named container-test are matched.

Data processing parameters

Parameter Type Required Default value Example Description
BeginLineRegex String No None

The regular expression to match the first line of a log.

If you leave this parameter empty, the single-line mode is used.

If the beginning of a line matches the regular expression, the line is considered the first line of a new log. Otherwise, the line is appended to the previous log.

BeginLineCheckLength Integer No None

The maximum length for first-line matching. Unit: bytes.

The default value is 10 × 1024 bytes.

If the regular expression for first-line matching can be matched within the first N bytes, we recommend that you set this parameter to improve matching efficiency.

BeginLineTimeoutMs Integer No None

The timeout period for first-line matching. Unit: milliseconds.

The default value is 3,000 milliseconds.

If no new log is generated within 3,000 milliseconds, the matching ends, and the last log is uploaded to Simple Log Service.

MaxLogSize Integer No None

The maximum length of a log. The default value is 0. Unit: bytes.

The default value is 512 × 1024 bytes.

If the length of a log exceeds the specified value, the system stops searching for the first line and directly uploads the log.

ExternalK8sLabelTag Map, where LabelKey and LabelValue are of the String type No None

The Kubernetes label (defined in template.metadata) tags. After you configure this parameter, iLogtail adds Kubernetes label-related fields to logs.

For example, if you set LabelKey to app and LabelValue to k8s_label_app, and a pod contains the label app=serviceA, iLogtail adds this information to the log. The added field is k8s_label_app: serviceA. If the pod does not contain the app label, the empty field k8s_label_app: is added.

ExternalEnvTag Map, where EnvKey and EnvValue are of the String type No None

The container environment variable tags. After you configure this parameter, iLogtail adds container environment variable-related fields to logs.

For example, if you set EnvKey to VERSION and EnvValue to env_version, and a container has the environment variable VERSION=v1.0.0, this information is added to the log as a tag. The added field is env_version: v1.0.0. If the container does not have the VERSION environment variable, the empty field env_version: is added.

Data processing environment variables

Environment variable Type Required Default value Example Description
ALIYUN_LOG_ENV_TAGS String No None

The global environment variable tags. After you configure this parameter, iLogtail adds fields related to the environment variables of the container where iLogtail resides to logs. Separate multiple environment variable names with vertical bars (|).

For example, if you set this parameter to node_name|node_ip and the iLogtail container exposes the related environment variables, this information is added to the log as tags. The added fields are node_ip:172.16.0.1 and node_name:worknode.

Container stdout (new version)

Parameter Type Required Default value Example Description
Type string Yes / input_container_stdio The plugin type. Set the value to input_container_stdio.
IgnoringStdout Boolean No false false Specifies whether to ignore stdout. false indicates that stdout is collected. true indicates that stdout is not collected.
IgnoringStderr Boolean No false false Specifies whether to ignore stderr. false indicates that stderr is collected. true indicates that stderr is not collected.
TailSizeKB Integer (uint) No 1024 2048 The size of the data to be collected from the end of a file when the configuration is applied for the first time. Unit: KB. If the file size is smaller than the specified value, data is collected from the beginning of the file. Valid values: 0 to 104857600.
AllowingIncludedByMultiConfigs Boolean No false true Specifies whether to allow the current configuration to collect stdout logs from containers that are matched by other configurations. The default value false prevents duplicate collection by multiple configurations.
ContainerFilters Object No None See the Container filtering options (ContainerFilters) table below The container filtering options. Multiple options are combined using the AND operator.
ExternalK8sLabelTag Map, where LabelKey/LabelValue are String No None {"app":"k8s_label_app"} For Kubernetes scenarios: retrieves values from pod labels and appends them to logs as tags. The key of the map is the pod label name, and the value is the log field name (tag name). If a pod does not have the specified label, an empty field is appended.
ExternalEnvTag Map, where EnvKey/EnvValue are String No None {"VERSION":"env_version"} For container scenarios: retrieves values from container environment variables and appends them to logs as tags. The key of the map is the environment variable name, and the value is the log field name (tag name). If a container does not have the specified environment variable, an empty field is appended.
Multiline Object No None See the Multiline aggregation options (Multiline) table below The multiline aggregation options.

Container filtering options (ContainerFilters)

Parameter Type Required Default value Example Description
IncludeK8sLabel Map, where LabelKey/LabelValue are String No None {"app":"^(test1|test2)$"}

The whitelist of Kubernetes labels (defined in the metadata.labels of a pod). This parameter specifies the containers from which you want to collect logs. By default, this parameter is left empty, which indicates that the standard output of all containers is collected.

  • If LabelValue is empty, containers whose Kubernetes labels contain LabelKey are matched.

  • If LabelValue is not empty, only containers whose Kubernetes labels contain LabelKey=LabelValue are matched.

    By default, LabelValue is used for string matching. A match is found only if LabelValue is identical to the value of a Kubernetes label. If the value starts with ^ and ends with $, it is used for regular expression matching.

Multiple whitelists are combined using the OR operator. A container is matched if its Kubernetes label meets the condition in any of the whitelists.

ExcludeK8sLabel Map, where LabelKey/LabelValue are String No None {"env":"^(test.*)$"}

The blacklist of Kubernetes labels (defined in the metadata.labels of a pod). This parameter specifies the containers that you want to exclude. By default, this parameter is left empty, which indicates that no containers are excluded.

  • If LabelValue is empty, containers whose Kubernetes labels contain LabelKey are excluded.

  • If LabelValue is not empty, only containers whose Kubernetes labels contain LabelKey=LabelValue are excluded.

    By default, LabelValue is used for string matching. A match is found only if LabelValue is identical to the value of a Kubernetes label. If the value starts with ^ and ends with $, it is used for regular expression matching.

Multiple blacklists are combined using the OR operator. A container is excluded if its Kubernetes label meets the condition in any of the blacklists.

IncludeEnv Map, where EnvKey/EnvValue are String No None {"NGINX_SERVICE_PORT":"^(80|6379)$"}

The whitelist of environment variables. This parameter specifies the containers from which you want to collect logs. By default, this parameter is left empty, which indicates that the standard output of all containers is collected. If you want to configure a whitelist of environment variables, you must specify EnvKey. EnvValue is optional.

  • If EnvValue is empty, containers whose environment variables contain EnvKey are matched.

  • If EnvValue is not empty, only containers whose environment variables contain EnvKey=EnvValue are matched.

    By default, EnvValue is used for string matching. A match is found only if EnvValue is identical to the value of an environment variable. If the value starts with ^ and ends with $, it is used for regular expression matching.

Multiple whitelists are combined using the OR operator. A container is matched if its environment variable meets the condition in any of the key-value pairs.

ExcludeEnv Map, where EnvKey/EnvValue are String No None {"POD_NAMESPACE":"kube-system"}

The blacklist of environment variables. This parameter specifies the containers that you want to exclude. By default, this parameter is left empty, which indicates that no containers are excluded. If you want to configure a blacklist of environment variables, you must specify EnvKey. EnvValue is optional.

  • If EnvValue is empty, containers whose environment variables contain EnvKey are excluded.

  • If EnvValue is not empty, only containers whose environment variables contain EnvKey=EnvValue are excluded.

    By default, EnvValue is used for string matching. A match is found only if EnvValue is identical to the value of an environment variable. If the value starts with ^ and ends with $, it is used for regular expression matching.

Multiple blacklists are combined using the OR operator. A container is excluded if its environment variable meets the condition in any of the key-value pairs.

IncludeContainerLabel Map, where LabelKey/LabelValue are String No None {"io.kubernetes.container.name":"nginx"}

The whitelist of container labels. This parameter specifies the containers from which you want to collect logs. By default, this parameter is left empty, which indicates that the standard output of all containers is collected. If you want to configure a whitelist of container labels, you must specify LabelKey. LabelValue is optional.

  • If LabelValue is empty, containers whose labels contain LabelKey are matched.

  • If LabelValue is not empty, only containers whose labels contain LabelKey=LabelValue are matched.

    By default, LabelValue is used for string matching. A match is found only if LabelValue is identical to the value of a container label. If the value starts with ^ and ends with $, it is used for regular expression matching.

Multiple whitelists are combined using the OR operator. A container is matched if its label meets the condition in any of the whitelists.

ExcludeContainerLabel Map, where LabelKey/LabelValue are String No None {"io.kubernetes.pod.namespace":"kube-system"}

The blacklist of container labels. This parameter specifies the containers that you want to exclude. By default, this parameter is left empty, which indicates that no containers are excluded. If you want to configure a blacklist of container labels, you must specify LabelKey. LabelValue is optional.

  • If LabelValue is empty, containers whose labels contain LabelKey are excluded.

  • If LabelValue is not empty, only containers whose labels contain LabelKey=LabelValue are excluded.

    By default, LabelValue is used for string matching. A match is found only if LabelValue is identical to the value of a container label. If the value starts with ^ and ends with $, it is used for regular expression matching.

Multiple blacklists are combined using the OR operator. A container is excluded if its label meets the condition in any of the blacklists.

Multiline aggregation options (Multiline)

Parameter Type Required Default value Example Description
Mode String No custom custom The multiline aggregation mode. Valid values: custom and JSON. If you set this parameter to JSON, logs are read and concatenated in JSON format.
StartPattern String No (required in custom mode) None \d+-\d+-\d+.* The regular expression for the first line of a log. A match indicates the start of a new log.
UnmatchedContentTreatment String No single_line discard The processing method for unmatched log segments. Valid values: discard (discards the segment) and single_line (outputs each unmatched segment as a single-line log).

MySQL input plugin

Parameter Type Required Default value Example Description
Type string Yes / service_mysql The plugin type. Set the value to service_mysql.
Address string No 127.0.0.1:3306 rm-*.mysql.rds.aliyuncs.com The address of the MySQL database.
User string No root root The username that is used to log on to the MySQL database.
Password string No None The password of the user that is used to log on to the MySQL database. For security purposes, you can set the username and password to xxx. After the collection configuration is synchronized to your on-premises machine, find the configuration in the /usr/local/ilogtail/user_log_config.json file and modify it. For more information, see Modify local configurations.
Important If you modify this parameter in the console, the local configuration is overwritten after synchronization.
DataBase string No / project_database The name of the database.
DialTimeOutMs int No 5000 5000 The timeout period for connecting to the MySQL database. Unit: ms.
ReadTimeOutMs int No 5000 5000 The timeout period for reading the MySQL query results. Unit: ms.
StateMent string No / The SELECT statement. If you set CheckPoint to true, the WHERE clause in the SELECT statement must contain the checkpoint column (CheckPointColumn). You can use a question mark (?) as a placeholder to work with the checkpoint column. For example, you can set CheckPointColumn to id, CheckPointStart to 0, and StateMent to SELECT * from ... where id > ?. After each collection, the system saves the ID of the last data entry as a checkpoint. In the next collection, the question mark (?) in the query statement is replaced with the ID corresponding to the checkpoint.
Limit bool No false true Specifies whether to use LIMIT for paging.
  • true: uses LIMIT for paging.

  • false (default): does not use LIMIT for paging.

We recommend that you use LIMIT for paging. If you set Limit to true, the system automatically appends a LIMIT clause to the SELECT statement during SQL queries.
PageSize int No / 10 The number of entries to return on each page. This parameter is required if you set Limit to true.
MaxSyncSize int No 0 0 The maximum number of records to synchronize at a time. The default value is 0, which indicates that no limit is imposed.
CheckPoint bool No false true Specifies whether to use a checkpoint.
  • true: uses a checkpoint.

  • false (default): does not use a checkpoint.

A checkpoint can be used as the starting point for the next data collection to implement incremental data collection.
CheckPointColumn string No None 1 The name of the checkpoint column. This parameter is required if you set CheckPoint to true. Warning The values in this column must be incremental. Otherwise, data may fail to be collected. The maximum value in each query result is used as the input for the next query.
CheckPointColumnType string No None int The data type of the checkpoint column. Valid values: int and time. The int type is stored as int64. The time type supports the date, datetime, and time types of MySQL. This parameter is required if you set CheckPoint to true.
CheckPointStart string No None The initial value of the checkpoint column. This parameter is required if you set CheckPoint to true.
CheckPointSavePerPage bool No true true Specifies whether to save a checkpoint for each page.
  • true (default): saves a checkpoint for each page.

  • false: saves a checkpoint after each synchronization is complete.

IntervalMs int No 60000 60000 The synchronization interval. The default value is 60,000. Unit: ms.

HTTP input plugin

Parameter Type Required Default value Example Description
Type string Yes / metric_http The plugin type. Set the value to metric_http.
Address string Yes / The list of URLs. Important The URLs must start with http or https.
IntervalMs int Yes / 10 The interval between requests. Unit: ms.
Method string No GET GET The request method. The value must be in uppercase.
Body string No None The content of the HTTP body.
Headers map No None {"key":"value"} The content of the HTTP header. For example, {"key":"value"}. Replace the content with the actual value.
PerAddressSleepMs int No 100 100 The interval between requests for each URL in the Addresses list. Unit: ms.
ResponseTimeoutMs int No 5000 5000 The request timeout period. Unit: ms.
IncludeBody bool No false true Specifies whether to collect the request body. The default value is false. If you set this parameter to true, the request body content is stored in a key named content.
FollowRedirects bool No false false Specifies whether to automatically handle redirections.
InsecureSkipVerify bool No false false Specifies whether to skip HTTPS security checks.
ResponseStringMatch string No / Performs a regular expression check on the returned body content. The check result is stored in a key named _response_match_. If a match is found, the value is yes. If no match is found, the value is no.

Syslog input plugin

Parameter Type Required Default value Example Description
Type string Yes / service_syslog The plugin type. Set the value to service_syslog.
Address string No tcp://127.0.0.1:9999 The protocol, address, and port that Logtail listens on. Logtail listens on the specified protocol, address, and port and obtains log data. The format is [tcp/udp]://[ ip ]:[ port ]. If you do not configure this parameter, the default value tcp://127.0.0.1:9999 is used. This indicates that only logs forwarded from the local machine can be received. Note
  • The protocol, address, and port number specified in the Logtail configuration must be the same as the forwarding rule specified in the rsyslog configuration file.

  • If the server where Logtail is installed has multiple IP addresses that can receive logs, you can set the address to 0.0.0.0. This indicates that Logtail listens on all IP addresses of the server.

ParseProtocol string No None rfc3164 The protocol used to parse logs. The default value is empty, which indicates that logs are not parsed. Valid values:
  • Empty: does not parse logs.

  • rfc3164: uses the RFC3164 protocol to parse logs.

  • rfc5424: uses the RFC5424 protocol to parse logs.
  • auto: automatically selects a suitable parsing protocol based on the log content.

IgnoreParseFailure bool No true true The operation to perform after a parsing failure. If you do not configure this parameter, the default value true is used, which indicates that parsing is abandoned and the returned content field is directly populated. If you set this parameter to false, the log is discarded if parsing fails.

Systemd Journal input plugin

Parameter Type Required Default value Example Description
Type string Yes / service_journal The plugin type. Set the value to service_journal.
JournalPaths [string] Yes None /var/log/journal The Journal log path. We recommend that you set this parameter to the directory where Journal logs are stored.
SeekPosition string No tail tail The initial collection method. Valid values: head and tail.
  • head: collects all data.

  • tail: collects only new data after the Logtail collection configuration is applied.

Kernel bool No true true Specifies whether to collect kernel logs.
Units [string] No None "" The list of units to collect. By default, this parameter is left empty, which indicates that all units are collected.
ParseSyslogFacility bool No false false Specifies whether to parse the facility field of syslog logs. If you do not configure this parameter, the field is not parsed.
ParsePriority bool No false false Specifies whether to parse the Priority field. If you do not configure this parameter, the field is not parsed. If you set this parameter to true, the Priority field is mapped as follows: plaintext "0": "emergency" "1": "alert" "2": "critical" "3": "error" "4": "warning" "5": "notice" "6": "informational" "7": "debug"
UseJournalEventTime bool No false false Specifies whether to use the field in the Journal log as the log time. If you do not configure this parameter, the collection time is used as the log time. The time difference for real-time log collection is generally within 3 seconds.

SQL Server input plugin

Parameter Type Required Default value Example Description
Type string Yes / service_mssql The plugin type. Set the value to service_mssql.
Address string No 127.0.0.1:1433 rm-*.sqlserver.rds.aliyuncs.com The address of the SQL Server database.
User string No root root The username that is used to log on to the SQL Server database.
Password string No None The password of the user that is used to log on to the SQL Server database. For security purposes, you can set the username and password to xxx. After the collection configuration is synchronized to your on-premises machine, find the configuration in the /usr/local/ilogtail/user_log_config.json file and modify it. For more information, see Modify local configurations.
Important If you modify this parameter in the console, the local configuration is overwritten after synchronization.
DataBase string No / project_database The name of the database.
DialTimeOutMs int No 5000 5000 The timeout period for connecting to the SQL Server database. Unit: ms.
ReadTimeOutMs int No 5000 5000 The timeout period for reading the SQL Server query results. Unit: ms.
StateMent string No / The SELECT statement. If you set CheckPoint to true, the WHERE clause in the SELECT statement must contain the checkpoint column (CheckPointColumn). You can use a question mark (?) as a placeholder to work with the checkpoint column. For example, you can set CheckPointColumn to id, CheckPointStart to 0, and StateMent to SELECT * from ... where id > ?. After each collection, the system saves the ID of the last data entry as a checkpoint. In the next collection, the question mark (?) in the query statement is replaced with the ID corresponding to the checkpoint.
Limit bool No false true Specifies whether to use LIMIT for paging.
  • true: uses LIMIT for paging.

  • false (default): does not use LIMIT for paging.

We recommend that you use LIMIT for paging. If you set Limit to true, the system automatically appends a LIMIT clause to the SELECT statement during SQL queries.
PageSize int No / 10 The number of entries to return on each page. This parameter is required if you set Limit to true.
MaxSyncSize int No 0 0 The maximum number of records to synchronize at a time. The default value is 0, which indicates that no limit is imposed.
CheckPoint bool No false true Specifies whether to use a checkpoint.
  • true: uses a checkpoint.

  • false (default): does not use a checkpoint.

A checkpoint can be used as the starting point for the next data collection to implement incremental data collection.
CheckPointColumn string No None 1 The name of the checkpoint column. This parameter is required if you set CheckPoint to true. Warning The values in this column must be incremental. Otherwise, data may fail to be collected. The maximum value in each query result is used as the input for the next query.
CheckPointColumnType string No None int The data type of the checkpoint column. Valid values: int and time. The int type is stored as int64. The time type supports the date, datetime, and time types of SQL Server. This parameter is required if you set CheckPoint to true.
CheckPointStart string No None The initial value of the checkpoint column. This parameter is required if you set CheckPoint to true.
CheckPointSavePerPage bool No true true Specifies whether to save a checkpoint for each page.
  • true (default): saves a checkpoint for each page.

  • false: saves a checkpoint after each synchronization is complete.

IntervalMs int No 60000 60000 The synchronization interval. The default value is 60,000. Unit: ms.

PostgreSQL input plugin

Parameter Type Required Default value Example Description
Type string Yes / service_pgsql The plugin type. Set the value to service_pgsql.
Address string No 127.0.0.1:5432 rm-*.pg.rds.aliyuncs.com The address of the PostgreSQL database.
User string No root root The username that is used to log on to the PostgreSQL database.
Password string No None The password of the user that is used to log on to the PostgreSQL database. For security purposes, you can set the username and password to xxx. After the collection configuration is synchronized to your on-premises machine, find the configuration in the /usr/local/ilogtail/user_log_config.json file and modify it. For more information, see Modify local configurations.
Important If you modify this parameter in the console, the local configuration is overwritten after synchronization.
DataBase string No / project_database The name of the PostgreSQL database.
DialTimeOutMs int No 5000 5000 The connection timeout for the PostgreSQL database, in milliseconds.
ReadTimeOutMs int No 5000 5000 The timeout for reading PostgreSQL query results. Unit: ms.
StateMent string No / The SELECT statement. If CheckPoint is set to true, the WHERE clause in the StateMent must include a condition for the checkpoint column. The checkpoint column is specified by the CheckPointColumn parameter. This condition must use $1 as a placeholder for the checkpoint value. For example: Set CheckPointColumn to id and StateMent to SELECT * from ... where id > $1
Limit Boolean No false true Specifies whether to use Limit for paging.
  • true: Use Limit.

  • false (default): Do not use Limit.

Use Limit for paging. If set to true, the system automatically appends a LIMIT statement to SELECT statements during SQL queries.
PageSize int No / 10 The page size. This parameter is required if `Limit` is set to `true`.
MaxSyncSize int No 0 0 The maximum number of records to sync each time. The default value is 0, which means there is no limit.
CheckPoint bool No false true Specifies whether to use a checkpoint.
  • true: Use a checkpoint.

  • false: (Default) Do not use a checkpoint.

A checkpoint can be used as the starting point for the next data collection to enable incremental data collection.
CheckPointColumn string No Empty 1 The name of the CheckPoint column. This parameter is required when CheckPoint is set to true. Warning The value of this column must be incremental. Otherwise, data collection issues may occur because the maximum value from each query is used as the input for the next query.
CheckPointColumnType string No empty int The data type of the CheckPoint column. Supported values are `int` and `time`. The `int` type is stored as `int64`. The `time` type supports PostgreSQL time types. This parameter is required when the CheckPoint parameter is set to `true`.
CheckPointStart string No empty The initial value of the CheckPoint column. This parameter is required when CheckPoint is set to true.
CheckPointSavePerPage bool No true true Specifies whether to save a checkpoint for each page.
  • true (Default): Saves a checkpoint for each page.

  • false: Saves a checkpoint after each sync is complete.

IntervalMs int No 60000 60000 The synchronization interval. The default value is 60000 ms.

SNMP input plugin

Parameter Type Required Default value Example Description
Targets [string] Yes / 127.0.0.1 The IP addresses of the target machine group.
Port string No 161 161 The port used by the SNMP protocol.
Community string No public public The community string. SNMPv1 and SNMPv2 use the community string for authentication.
UserName string No Empty root The username. SNMPv3 supports authentication using a username.
AuthenticationProtocol string No NoAuth NoAuth The authentication protocol. SNMPv3 supports authentication using an authentication protocol.
AuthenticationPassphrase string No Empty The authentication passphrase. The default value is empty. If you set AuthenticationProtocol to MD5 or SHA, you must set AuthenticationPassphrase.
PrivacyProtocol string No NoPriv NoPriv The privacy protocol. SNMPv3 supports authentication using a privacy protocol.
PrivacyPassphrase string No Empty The privacy protocol passphrase. By default, it is the same as the authentication passphrase. If you set PrivacyProtocol to DES or AES, you must set PrivacyPassphrase.
Timeout int No 5 5 The timeout period for a query operation, in seconds.
Version int No 2 2 The SNMP protocol version. Valid values are 1, 2, and 3.
Transport string No udp udp The SNMP communication method. Valid values are udp and tcp.
MaxRepetitions int No 0 0 The number of retries after a query times out.
Oids [string] No Empty 1 The Object Identifiers (OIDs) to query on the target machine.
Fields [string] No Empty int The fields to query on the target machine. The plugin looks up these fields in the local Management Information Base (MIB), translates them into Object Identifiers (OIDs), and then queries them.
Tables [string] No Empty The tables to query on the target machine. The plugin finds all fields within the specified tables, looks them up in the local Management Information Base (MIB), translates them into Object Identifiers (OIDs), and then queries them.

Script output collector plugin

Parameter Type Required Default value Example Description
Type string Yes / input_command The type of the plugin. The value is fixed to input_command.
ScriptType string Yes Empty shell The type of the script content. Valid values are bash, shell, python2, and python3.
User string Yes / public The username used to run the command. Only non-root users are supported. Note * Ensure the specified username exists on the machine. Configure the least privilege. Grant only rwx permissions for the folders or files to be monitored.
ScriptContent string Yes Empty The content of the script. The content can be in plain text or Base64-encoded. The length cannot exceed 512 × 1024 bytes.
ContentEncoding string No PlainText PlainText The encoding format of the script content. This parameter is optional. Valid values:
  • PlainText (Default): The script content is plain text and not encoded.

  • Base64: The script content is Base64-encoded.

LineSplitSep string No Empty The separator used to split the script output. If you leave this parameter empty, the output is not split and is returned as a single log entry.
CmdPath string No Empty /usr/bin/bash The execution path of the script. If this parameter is empty, a default path is used. The default paths are as follows:
  • bash: /usr/bin/bash

  • shell: /usr/bin/sh

  • python2: /usr/bin/python2

  • python3: /usr/bin/python3

TimeoutMilliSeconds int No 3000 3000 The timeout period for script execution. Unit: milliseconds.
IgnoreError bool No false false Specifies whether to ignore error logs if the plugin fails to execute. The default value is false, which indicates that errors are not ignored.
Environments [string] No The environment variables. By default, the value of os.Environ() is used. If you set this parameter, the specified environment variables are appended to the os.Environ() value.
IntervalMs int No 5000 5000 The interval at which data is collected or the script is executed. Unit: milliseconds.

Native processor plugins

Native regex parsing plugin

Parameter Type Required Default value Example Description
Type string Yes None processor_parse_regex_native The plugin type. The value is fixed to processor_parse_regex_native.
SourceKey string Yes None content The source field name.
Regex string Yes None (\d+-\d+-\d+)\s+(.*) The regular expression.
Keys [string] Yes None ["time", "msg"] The list of extracted fields.
KeepingSourceWhenParseFail bool No false false Specifies whether to keep the source field if parsing fails.
KeepingSourceWhenParseSucceed bool No false false Specifies whether to keep the source field if parsing succeeds.
RenamedSourceKey string No Empty key The new name for the source field if it is kept. If you leave this parameter empty, the source field is not renamed.

Native JSON parsing plugin

Parameter Type Required Default Value Example Description
Type string Yes / processor_parse_json_native The type of the plug-in. The value is fixed to processor_parse_json_native.
SourceKey string Yes / content The name of the source field.
KeepingSourceWhenParseFail bool No false false Specifies whether to keep the source field if parsing fails.
KeepingSourceWhenParseSucceed bool No false false Specifies whether to keep the source field if parsing succeeds.
RenamedSourceKey string No empty key The new field name for the source field when it is kept. If this parameter is left empty, the source field is not renamed.

Native separator parsing plugin

Parameter Type Required Default value Example Description
Type string Yes / processor_parse_delimiter_native The type of the plug-in. The value must be processor_parse_delimiter_native.
SourceKey string Yes / content The name of the source field.
Separator string Yes / , The separator character.
Quote string No " " The quote character.
Keys [string] Yes / ["time", "msg"] The list of keys for the extracted fields.
AllowingShortenedFields bool No true true Specifies whether to allow fewer extracted fields than keys. If set to false, parsing fails if the number of fields is smaller than the number of keys.
OverflowedFieldsTreatment string No extend extend The behavior when the number of extracted fields is greater than the number of keys. Valid values:
  • extend: Keeps the extra fields and adds each one to the log as a separate field. The extra fields are named __column$i__, where $i is the ordinal number of the field, starting from 0.

  • keep: Keeps the extra fields and adds them to the log as a single field named __column0__.

  • discard: Discards the extra fields.

KeepingSourceWhenParseFail bool No false false Specifies whether to keep the source field if parsing fails.
KeepingSourceWhenParseSucceed bool No false false Specifies whether to keep the source field if parsing succeeds.
RenamedSourceKey string No empty key The name of the field used to store the source field when the source field is kept. If you do not specify a name, the source field is not renamed.

Native Apsara parsing plugin

Parameter Type Required Default value Example Description
Type string Yes / processor_parse_apsara_native The plugin type. The value is fixed to processor_parse_apsara_native.
SourceKey string Yes / content The source field name.
Timezone string No Empty GMT+08:00 The time zone of the log. The format is GMT+HH:MM for eastern time zones or GMT-HH:MM for western time zones.
KeepingSourceWhenParseFail bool No false false Specifies whether to keep the source field when parsing fails.
KeepingSourceWhenParseSucceed bool No false false Specifies whether to keep the source field when parsing succeeds.
RenamedSourceKey string No Empty key The name of the field that stores the source field if the source field is kept. If this parameter is empty, the source field is not renamed.

Native time parsing plugin

Parameter Type Required Default value Example Description
Type string Yes / processor_parse_timestamp_native The type of the plugin. The value must be processor_parse_timestamp_native.
SourceKey string Yes / content The name of the source field.
SourceFormat string Yes / %Y/%m/%d %H:%M:%S The time format of the log. For more information, see Time formats.
SourceTimezone string No Empty GMT+08:00 The time zone of the log. The format is GMT+HH:MM for eastern time zones or GMT-HH:MM for western time zones.

Native filtering plugin

Parameter Type Required Example Default value Description
Type string Yes processor_filter_regex_native / The plugin type. The value is fixed to processor_filter_regex_native.
Include map Yes / / A whitelist for log fields. The key is a field name and the value is a regular expression. A log is collected only if the content of the specified field matches the regular expression. If you define multiple conditions, a log is collected only if it meets all of them.

Native data masking plugin

Parameter Type Required Default value Example Description
Type string Yes / processor_desensitize_native The plugin type. The value is fixed to processor_desensitize_native.
SourceKey string Yes / content The name of the source field.
Method string Yes / const The data masking method. Valid values include the following: const: Replaces sensitive content with a constant string. md5: Replaces sensitive content with its MD5 value.
ReplacingString string No. This parameter is required when Method is set to const. / ****** The constant string used to replace sensitive content.
ContentPatternBeforeReplacedString string Yes / 'password:' The regular expression for the prefix of the sensitive content.
ReplacedContentPattern string Yes / [^']* The regular expression for the sensitive content.
ReplacingAll bool No true true Specifies whether to replace all matched sensitive content.

Extension processor plugins

Fetch fields

Regular expression pattern

Parameter Type Required Default value Example Description
Type string Yes / processor_regex The type of the plugin. This is fixed to processor_regex.
SourceKey string Yes / content The name of the source field.
Regex string Yes / (\d+-\d+-\d+)\s+(.*) The regular expression. Use parentheses () to annotate the fields to fetch.
Keys [string] Yes / ["ip", "time", "method"] Specifies the field names for the fetched content, such as ["ip", "time", "method"].
NoKeyError boolean No false false Specifies whether the system reports an error if the source field does not exist in the raw log.
  • true: The system reports an error.

  • false (default): The system does not report an error.

NoMatchError boolean No false false Specifies whether the system reports an error if the regular expression does not match the value of the source field.
  • true: The system reports an error.

  • false (default): The system does not report an error.

KeepSource boolean No false false Specifies whether to keep the source field in the parsed log.
  • true: Keeps the source field.

  • false (default): Does not keep the source field.

FullMatch boolean No true true Specifies whether to fetch field values only when a full match is found.
  • true (default): Field values are fetched only if all fields that you set in the Keys parameter match the value of the source field based on the regular expression in the Regex parameter.

  • false: Field values are fetched even if only a partial match is found.

KeepSourceIfParseError boolean No true false Specifies whether to keep the source field in the log if parsing fails.
  • true (default): Keeps the source field.

  • false: Does not keep the source field.

Delimiter mode

Parameter Type Required Default Value Example Description
Type string Yes N/A processor_anchor The type of the plug-in. This is fixed to processor_anchor.
SourceKey string Yes N/A content The name of the source field.
Anchors array Yes N/A The list of anchor items.
Start string Yes Empty time The start keyword. If this parameter is empty, it matches the beginning of the string.
Stop string Yes Empty \t The end keyword. If this parameter is empty, it matches the end of the string.
FieldName string Yes Empty time The name of the field for the extracted content.
FieldType string Yes Empty string The type of the field. Valid values are string and json.
ExpandJson boolean No false false Specifies whether to expand the JSON field.
  • true: Expand the field.

  • false (default): Do not expand the field.

ExpandConnector string No _ _ The connector used for JSON expansion. The default value is an underscore (_).
MaxExpandDepth integer No 0 0 The maximum depth for JSON expansion. The default value is 0, which means no limit.
NoAnchorError boolean No false false Specifies whether to report an error if an anchor item is not found.
  • true: Report an error.

  • false (default): Do not report an error.

NoKeyError boolean No false false Specifies whether to report an error if the specified source field does not exist in the raw log.
  • true: Report an error.

  • false (default): Do not report an error.

KeepSource boolean No false false Specifies whether to keep the source field in the parsed log.
  • true: Keep the source field.

  • false (default): Do not keep the source field.

CSV pattern

Parameter Type Required Default value Example Description
Type string Yes None processor_csv The plugin type. Set this to processor_csv.
SourceKey String Yes None csv The name of the source field.
SplitKeys String array Yes None ["date", "ip", "content"] Specify the field names for the extracted content, such as ["date", "ip", "content"]. Important If the number of fields to split is smaller than the number of fields specified in the SplitKeys parameter, the excess fields in SplitKeys are ignored.
PreserveOthers Boolean No false false Specifies whether to keep remaining content when the source data contains more fields than specified in the SplitKeys parameter.
  • true: Keep the remaining content.

  • false (default): Do not keep the remaining content.

ExpandOthers Boolean No false false Specifies whether to parse the remaining content.
  • true: Parse the content. Use the ExpandKeyPrefix parameter to specify a prefix for the names of the extra fields.

  • false (default): Do not parse the content. If PreserveOthers is set to true and ExpandOthers is set to false, the remaining content is stored in the _decode_preserve_ field.

Note If the content of the extra fields is not in standard CSV format, normalize it before storage.
ExpandKeyPrefix String No The prefix for the names of the extra fields. For example, if you set this parameter to expand_, the field names are expand_1, expand_2, and so on.
TrimLeadingSpace Boolean No false false Specifies whether to ignore leading spaces in field values.
  • true: Ignore leading spaces.

  • false (default): Do not ignore leading spaces.

SplitSep String No , , The separator. The default value is a comma (,).
KeepSource Boolean No false false Specifies whether to keep the source field in the parsed log.
  • true: Keep the source field.

  • false (default): Do not keep the source field.

NoKeyError Boolean No false false Specifies whether to report an error if the specified source field does not exist in the raw log.
  • true: Report an error.

  • false (default): Do not report an error.

Single-character separator pattern

Parameter Type Required Default value Example Description
Type string Yes / processor_split_char The type of the plugin. The value must be processor_split_char.
SourceKey String Yes The name of the source field.
SplitSep String Yes The separator. This must be a single character. A non-printable character, such as \u0001, can be used.
SplitKeys String array Yes ["ip", "time", "method"] Specify the field names for the extracted content. For example, ["ip", "time", "method"].
PreserveOthers Boolean No false false Specifies whether to keep the remaining fields when the number of split fields is greater than the number of keys in SplitKeys.
  • true: Keep the remaining fields.

  • false (default): Do not keep the remaining fields.

QuoteFlag Boolean No false false Specifies whether to use a quote character.
  • true: Use a quote character.

  • false (default): Do not use a quote character.

Quote String No / \u0001 The quote character. This must be a single character. A non-printable character, such as \u0001, can be used. This parameter is valid only when QuoteFlag is set to true.
NoKeyError Boolean No false false Specifies whether to report an error if the specified source field does not exist in the raw log.
  • true: Report an error.

  • false (default): Do not report an error.

NoMatchError Boolean No false false Specifies whether to report an error if the specified separator does not match the separator in the log.
  • true: Report an error.

  • false (default): Do not report an error.

KeepSource Boolean No false false Specifies whether to keep the source field in the parsed log.
  • true: Keep the source field.

  • false (default): Do not keep the source field.

Multi-character separator pattern

Parameter Type Required Default value Example Description
Type string Yes / processor_split_string The type of the plugin. This parameter is fixed to `processor_split_string`.
SourceKey String Yes The name of the source field.
SplitSep String Yes The separator. This must be a single character. You can set this parameter to a non-printable character, such as `\u0001`.
SplitKeys String array Yes ["key1","key2"] The field names for the extracted content, such as `["key1","key2"]`. Note If the number of fields to split is smaller than the number of keys in the `SplitKeys` parameter, the extra keys are ignored.
PreserveOthers Boolean No false false Specifies whether to keep the remaining fields when the number of split fields is greater than the number of keys in the `SplitKeys` parameter.
  • `true`: Keep the remaining fields.

  • `false` (default): Do not keep the remaining fields.

ExpandOthers Boolean No false false Specifies whether to expand the remaining fields into separate key-value pairs. This parameter takes effect only when `PreserveOthers` is set to `true`.
  • `true`: Expand the fields.

  • `false` (default): Do not expand the fields.

ExpandKeyPrefix String No / expand_ The prefix for the names of the remaining fields. For example, if you set this parameter to `expand_`, the field names are `expand_1`, `expand_2`, and so on.
NoKeyError Boolean No false false Specifies whether to report an error if the source field specified in `SourceKey` does not exist in the raw log.
  • `true`: Report an error.

  • `false` (default): Do not report an error.

NoMatchError Boolean No false false Specifies whether to report an error if the log content cannot be split by the separator specified in `SplitSep`.
  • `true`: Report an error.

  • `false` (default): Do not report an error.

KeepSource Boolean No false false Specifies whether to keep the source field in the parsed log.
  • `true`: Keep the source field.

  • `false` (default): Do not keep the source field.

Key-value pair pattern

Parameter Type Required Default Value Example Description
Type string Yes / processor_split_key_value The plug-in type. Set this to processor_split_key_value.
SourceKey string Yes The name of the source field.
Delimiter string No \t \t The separator between key-value pairs. The default value is the tab character \t.
Separator string No : : The separator between the key and the value in a key-value pair. The default value is a colon (:).
KeepSource Boolean No false false Specifies whether to keep the source field in the log after parsing.
  • true: Keeps the source field.

  • false (default): Does not keep the source field.

ErrIfSourceKeyNotFound Boolean No true false Specifies whether to report an error if the source field is not found in the raw log.
  • true (default): Reports an error.

  • false: Does not report an error.

DiscardWhenSeparatorNotFound Boolean No false false Specifies whether to discard the key-value pair if the separator is not found.
  • true: Discards the pair.

  • false (default): Does not discard the pair.

ErrIfSeparatorNotFound Boolean No true false Specifies whether to report an error if the specified separator is not found.
  • true (default): Reports an error.

  • false: Does not report an error.

ErrIfKeyIsEmpty Boolean No true false Specifies whether to report an error if a key is empty after splitting.
  • true (default): Reports an error.

  • false: Does not report an error.

Quote String No The quote character. If a value is enclosed in the specified quote characters, the content within the quotes is extracted as the value. This parameter supports multiple characters. By default, this feature is disabled. Important * To use a double quotation mark (") as the quote character, you must escape it with a backslash (\\). When a backslash is used with the quote character inside a quoted value, the backslash is included as part of the output value.

Grok pattern

Parameter Type Required Default value Example Description
Type string Yes / processor_grok The type of the plugin. This is fixed to processor_grok.
CustomPatternDir String array No The folder where the custom Grok pattern files are located. The processor_grok plugin reads all files in the folder. If you do not add this parameter, custom Grok pattern files are not imported. Important After updating a custom Grok pattern file, restart Logtail for the changes to take effect.
CustomPatterns Map No Custom GROK patterns. The key is the rule name and the value is the Grok expression. For more information about the default supported expressions, see processor_grok. If the expression you need is not in the link, enter a custom Grok expression in Match. If you do not add this parameter, custom GROK patterns are not used.
SourceKey String No content content The name of the source field. The default value is the content field.
Match String array Yes An array of Grok expressions. The processor_grok plugin matches logs against the expressions in this list from top to bottom. It returns the result of the first successful match. Note Configuring multiple Grok expressions may affect performance. For best performance, use no more than five expressions.
TimeoutMilliSeconds Long No 0 The maximum time to try fetching fields using a Grok expression, in milliseconds. If you do not add this parameter or set it to 0, no timeout occurs.
IgnoreParseFailure Boolean No true true Specifies whether to ignore logs that fail to be parsed.
  • true (default): Ignores the logs.

  • false: Deletes the logs.

KeepSource Boolean No true true Specifies whether to keep the source field after successful parsing.
  • true (default): Keeps the source field.

  • false: Discards the source field.

NoKeyError Boolean No false true Specifies whether the system reports an error if the source field you specified does not exist in the raw log.
  • true: Reports an error.

  • false (default): Does not report an error.

NoMatchError Boolean No true true Specifies whether the system reports an error if none of the expressions set in the Match parameter match the log.
  • true (default): Reports an error.

  • false: Does not report an error.

TimeoutError Boolean No true true Specifies whether the system reports an error if a match times out.
  • true (default): Reports an error.

  • false: Does not report an error.

Add fields

Parameter Type Required Default Example Description
Type string Yes / processor_add_fields The plugin type. The value must be processor_add_fields.
Fields Map Yes The field names and values to add. Specify the fields as key-value pairs. Multiple fields can be added.
IgnoreIfExist Boolean No false false Specifies whether to ignore the new field if a field with the same name already exists.
  • true: Ignores the new field.

  • false (Default): Overwrites the existing field with the new field.

Drop fields

Parameter Type Required Default value Example Description
Type string Yes / processor_drop The type of the plug-in. The value is fixed to processor_drop.
DropKeys String array Yes The fields to drop. You can specify multiple fields.

Rename fields

Parameter Type Required Default value Example Description
Type string Yes / processor_rename The type of the plugin. The value is fixed to processor_rename.
NoKeyError Boolean No false false Specifies whether to report an error if a source field is not found in a log.
  • true: Report an error.

  • false: Do not report an error. This is the default value.

SourceKeys String array Yes The source fields to rename.
DestKeys String array Yes The new names for the fields.

Package fields

Parameter Type Required Default value Example Description
Type string Yes / processor_packjson The type of the plugin. This value is fixed to processor_packjson.
SourceKeys String array Yes The raw fields to package.
DestKey String No The destination field for the packaged data.
KeepSource Boolean No true true Specifies whether to retain the raw fields in the log after parsing.
  • true (default): Retains the raw fields.

  • false: Discards the raw fields.

AlarmIfIncomplete Boolean No true true Specifies whether to report an error if a specified raw field does not exist in the raw log.
  • true (default): Reports an error.

  • false: Does not report an error.

Expand JSON fields

Parameter Type Required Default value Example Description
Type string Yes / processor_json The type of the plug-in. This value is fixed to processor_json.
SourceKey String Yes The name of the source field to parse.
NoKeyError Boolean No true true Specifies whether to report an error if the specified source field does not exist in the raw log.
  • true (default): Reports an error.

  • false: Does not report an error.

ExpandDepth Int No 0 1 The expansion depth for the JSON object. The default value is 0, which indicates no limit. A value of 1 indicates the current level, and so on.
ExpandConnector String No _ _ The connector used to join field names during JSON expansion. The default value is an underscore (_).
Prefix String No The prefix to add to the names of expanded fields.
KeepSource Boolean No true true Specifies whether to keep the source field in the log after it is parsed.
  • true (default): Keeps the source field.

  • false: Discards the source field.

UseSourceKeyAsPrefix Boolean No Specifies whether to use the source field name as the prefix for all expanded field names.
KeepSourceIfParseError Boolean No true true Specifies whether to keep the raw log if parsing fails.
  • true (default): Keeps the raw log.

  • false: Discards the raw log.

ExpandArray Boolean No false false Specifies whether to expand arrays. This parameter is supported in Logtail 1.8.0 and later versions.
  • false (default): Does not expand arrays.

  • true: Expands arrays. For example, {"k":["1","2"]} is expanded into {"k[0]":"1","k[1]":"2"}.

Filter logs

Parameter Type Required Default Value Example Description
Type string Yes / processor_filter_regex The plugin type. The value is fixed to processor_filter_regex.
Include JSON Object No The key is a log field and the value is a regular expression. A logical AND is applied between key-value pairs. A log is collected only if all specified fields match their corresponding regular expressions.
Exclude JSON Object No The key is a log field and the value is a regular expression. A logical OR is applied between key-value pairs. A log is discarded if any specified field matches its corresponding regular expression.

Fetch log time

Parameter Type Required Default value Example Description
Type string Yes / processor_gotime The type of the plugin. The value is fixed to processor_gotime.
SourceKey String Yes The name of the source field.
SourceFormat String Yes The format of the source time.
SourceLocation Int Yes The time zone of the source time. If this parameter is left empty, the time zone of the host or container where Logtail is running is used.
DestKey String Yes The destination field for the parsed data.
DestFormat String Yes The format of the parsed time.
DestLocation Int No The time zone of the parsed time. If this parameter is left empty, the local time zone is used.
SetTime Boolean No true true Specifies whether to use the parsed time as the log time.
  • true (default): Use the parsed time as the log time.

  • false: Do not use the parsed time as the log time.

KeepSource Boolean No true true Specifies whether to keep the source field in the log after it is parsed.
  • true (default): Keep the source field.

  • false: Do not keep the source field.

NoKeyError Boolean No true true Specifies whether to report an error if the specified source field is not found in the raw log.
  • true (default): Report an error.

  • false: Do not report an error.

AlarmIfFail Boolean No true true Specifies whether to report an error if parsing the log time fails.
  • true (default): Report an error.

  • false: Do not report an error.

Transform IP addresses

Parameter Type Required Default value Example Description
Type string Yes / processor_geoip The plugin type. This value is fixed to processor_geoip.
SourceKey String Yes The name of the source field that contains the IP address to transform.
DBPath String Yes /user/data/GeoLite2-City_20180102/GeoLite2-City.mmdb The full path of the GeoIP database. For example, /user/data/GeoLite2-City_20180102/GeoLite2-City.mmdb.
NoKeyError Boolean No false false Specifies whether to report an error if the source field is missing from the raw log.
  • true: Reports an error.

  • false (default): Does not report an error.

NoMatchError Boolean No true true Specifies whether to report an error if the IP address is invalid or not found in the database.
  • true (default): Reports an error.

  • false: Does not report an error.

KeepSource Boolean No true true Specifies whether to keep the source field in the log after parsing.
  • true (default): Keeps the source field.

  • false: Does not keep the source field.

Language String No zh-CN zh-CN The language property. The default value is zh-CN. Important Make sure your GeoIP database includes the specified language.

Data masking

Parameter Type Required Default value Example Description
Type string Yes / processor_desensitize The type of the plugin. The value is fixed to processor_desensitize.
SourceKey string Yes The name of the log field.
Method string Yes const The desensitization method. Valid values:
  • const: Replaces sensitive content with a specified string. Use the ReplaceString parameter to specify the string.

  • md5: Replaces sensitive content with its MD5 hash.

Match string No full full The method to identify the sensitive content. Valid values:
  • full (default): Replaces the entire value of the target field.

  • regex: Uses a regular expression to identify the sensitive content.

ReplaceString string No The string that replaces the sensitive content. This parameter is required if you set Method to const.
RegexBegin string No The regular expression that matches the prefix of the sensitive content. This parameter is required if you set Match to regex.
RegexContent string No The regular expression that matches the sensitive content. This parameter is required if you set Match to regex.

Field value mapping

Parameter Type Required Default value Example Description
Type string Yes / processor_dict_map The plugin type. This value is fixed to processor_dict_map.
SourceKey String Yes The name of the source field.
MapDict Map No The mapping dictionary. Use this parameter to configure a small mapping dictionary. A local CSV dictionary file is not required. Important If you set the DictFilePath parameter, the settings in the MapDict parameter do not take effect.
DictFilePath String No A dictionary file in CSV format. This file uses a comma (,) as the separator and double quotation marks (") to enclose field references.
DestKey String No The name of the destination field.
HandleMissing Boolean No false false Specifies whether to process a raw log if the destination field is missing.
  • true: Process the log. The system fills the field with the value of the Missing parameter.

  • false (default): Do not process the log.

Missing String No Unknown Unknown The value to use for the destination field if it is missing from the raw log. The default value is Unknown. This parameter takes effect only when HandleMissing is set to true.
MaxDictSize Int No 1000 1000 The maximum size of the mapping dictionary. The default value is 1000, which means you can store up to 1000 mapping rules. To limit the server memory used by the plugin, decrease this value.
Mode String No overwrite overwrite The action to take if the destination field already exists in the raw log.
  • overwrite (default): Overwrites the original field.

  • fill: Does not overwrite the original field.

Field encryption

Parameter Type Required Default value Example Description
Type string Yes / processor_encrypt The type of the plugin. The value is fixed to processor_encrypt.
SourceKey String array Yes The names of the source fields.
EncryptionParameters Object Yes The configuration for the encryption key.
Key String Yes The encryption key. The value must be a 64-character hexadecimal string.
IV String No 00000000000000000000000000000000 The initialization vector (IV) for encryption. The value must be a 32-character hexadecimal string. The default value is 00000000000000000000000000000000.
KeyFilePath Boolean No The path to the file that contains the encryption parameters. If this parameter is not set, the system uses the path from File Path in the Input Settings of the Logtail configuration.
KeepSourceValueIfError String No false false Specifies whether to keep the original field value if encryption fails.
  • `true`: Keeps the original value.

  • `false` (default): Does not keep the original value.

If encryption fails, the field value is replaced with ENCRYPT_ERROR.

String replacement

Parameter Type Required Default value Example Description
Type string Yes / processor_string_replace The type of the plugin. The value is fixed to processor_string_replace.
SourceKey String Yes The name of the source field.
Method String Yes Specifies the matching method. Valid values:
  • const: Replaces content with a string.

  • regex: Replaces content using a regular expression.

  • unquote: Removes escape characters.

Match String No The content to match.
  • If Method is set to const, enter the string to replace. All matching strings are replaced.

  • If Method is set to regex, enter the regular expression to match the content to replace. All matching strings are replaced. You can also use regular expression groups to match specific groups.

  • If Method is set to unquote, this parameter is not required.

ReplaceString String No The string used for replacement. The default value is "".
  • If Method is set to const, enter the string to replace the original content.

  • If Method is set to regex, enter the string to replace the original content. Replacement based on regular expression groups is supported.

  • If Method is set to unquote, this parameter is not required.

DestKey String No Specifies a new field for the replaced content. By default, no new field is added.

Data encoding and decoding

Parameter Type Required Default value Example Description
Type string Yes / processor_base64_encoding The type of the plugin. This parameter is fixed to processor_base64_encoding.
SourceKey String Yes The name of the source field.
NewKey String Yes The name of the field that stores the encoded result.
NoKeyError Boolean No false false Specifies whether to report an error if the source field does not exist in the raw log.
  • true: Reports an error.

  • false (default): Does not report an error.

Log to metric

Parameter Type Required Default value Example Description
Type string Yes / processor_log_to_sls_metric The plugin type. The value is fixed to processor_log_to_sls_metric.
MetricTimeKey String No Specifies the time field in the log. This field is mapped to the __time_nano__ field in the time series data. By default, the value of the __time__ field is used. Make sure the specified field is a valid UNIX timestamp. Supported units include seconds (10 digits), milliseconds (13 digits), microseconds (16 digits), and nanoseconds (19 digits).
MetricLabelKeys []String Yes Specifies the list of keys for the __labels__ field. The keys must follow the regular expression ^[a-zA-Z_][a-zA-Z0-9_]*$. The values cannot contain vertical bars (|) or #$#. For more information, see Time series data (Metric). Do not add the __labels__ field to the MetricLabelKeys parameter. If the original log contains a __labels__ field, its value is appended to the new __labels__ field.
MetricValues Map Yes Specifies the metric name and metric value. The metric name corresponds to the __name__ field and must follow the regular expression ^[a-zA-Z_:][a-zA-Z0-9_:]*$. The metric value corresponds to the __value__ field and must be of the Double type. For more information, see Time series data (Metric).
CustomMetricLabels Map No Custom __labels__ fields. The keys must follow the regular expression ^[a-zA-Z_][a-zA-Z0-9_]*$. The values cannot contain vertical bars (|) or #$#. For more information, see Time series data (Metric).
IgnoreError Boolean No Specifies whether to output an error log if no logs are matched. The default value is false, which means no error log is output.

Log to trace

Parameter Type Required Default Value Example Description
Type string Yes / processor_otel_trace The type of the plug-in. This parameter is fixed to processor_otel_trace.
SourceKey String Yes The name of the source field.
Format String Yes json The format after transformation. Valid values: protobuf, json, and protojson.
NoKeyError Boolean No false true Specifies whether to report an error if the source field does not exist in the log. The default value is false.
TraceIDNeedDecode Boolean No Specifies whether to decode the TraceID from Base64. The default value is false. If you set Format to protojson and the TraceID is Base64-encoded, set TraceIDNeedDecode to true. Otherwise, the transformation fails.
SpanIDNeedDecode Boolean No Specifies whether to decode the SpanID from Base64. The default value is false. If you set Format to protojson and the SpanID is Base64-encoded, set SpanIDNeedDecode to true. Otherwise, the transformation fails.
ParentSpanIDNeedDecode Boolean No Specifies whether to decode the ParentSpanID from Base64. The default value is false. If you set Format to protojson and the ParentSpanID is Base64-encoded, set ParentSpanIDNeedDecode to true. Otherwise, the transformation fails.

Output plugins

SLS output plugin

Parameter Type Required Default Value Example Description
Type string Yes / flusher_sls The type of the plugin. This value is fixed to flusher_sls.
Logstore string Yes / test-logstore The name of the Logstore.

Response elements

Element

Type

Description

Example

None defined.

Examples

Success response

JSON format

{}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.