Users can sample, filter, enrich and transform log events before they reach their final destination. You have full programmatic access to your log events via Vector Remap Language For example, if you want to drop debug logs from a source before they’re sent to your SIEM, all you have to do is paste the following into the connection’s settings:
Text
type = "filter"
condition = '.level != "debug"'
This will filter out any log events with the property .level set to debug Some use cases:
  • sample noisy logs before they hit your SIEM
  • redact PII before it gets to your downstream destination
  • send non-critical logs to cheap storage; replay them to your SIEM if needed