From 5d5e8018cffafaefca15384a021e73c3926a101c Mon Sep 17 00:00:00 2001 From: cbruno10 Date: Mon, 3 Feb 2025 12:59:44 -0500 Subject: [PATCH] Add argument and `filter` example to reference/config-files/partition.md --- docs/reference/config-files/partition.md | 33 +++++++++++++++++------- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/docs/reference/config-files/partition.md b/docs/reference/config-files/partition.md index b71e680..1570fbc 100644 --- a/docs/reference/config-files/partition.md +++ b/docs/reference/config-files/partition.md @@ -6,6 +6,12 @@ title: partition The [partition](/docs/manage/partition) block defines the set of log rows, in a plugin-defined Tailpipe table, that come from a specified [source](/docs/manage/source). A given Tailpipe table, like `aws_cloudtrail_log`, can include multiple partitions that use one or several `source` types. +## Arguments + +| Argument | Type | Optional? | Description +|----------|--------|-----------|----------------- +| `filter` | String | Optional | A SQL `where` clause condition to filter log entries. Supports expressions using table columns. + ## Examples You can define a partition that uses the `aws_s3_bucket` type to collect all the CloudTrail log files from an S3 bucket: @@ -19,14 +25,28 @@ partition "aws_cloudtrail_log" "s3_bucket_all" { } ``` -You can use the `file_layout` argument to scope the set of collected log files using [grok patterns](https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html?utm_source=chatgpt.com#_grok_basics). This `source` block matches only `us-east-1` rows. +You can use the `filter` argument to exclude specific log entries with expressions using table columns: ```hcl -partition "aws_cloudtrail_log" "s3_bucket_us_east_1" { +partition "aws_cloudtrail_log" "ec2_write_events" { + # Only save EC2 write events + filter = "not read_only and event_source = 'ec2.amazonaws.com'" + source "aws_s3_bucket" { connection = connection.aws.account_a bucket = "aws-cloudtrail-logs-account-a" - file_layout = "AWSLogs/%{NUMBER:account_id}/CloudTrail/us-east-1/%{DATA}.json.gz" + } +} +``` + +You can use the `file_layout` argument to scope the set of collected log files using [grok patterns](https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html?utm_source=chatgpt.com#_grok_basics). This `source` block matches only `us-east-1` rows. + +```hcl +partition "aws_cloudtrail_log" "s3_bucket_us_east_1" { + source "aws_s3_bucket" { + connection = connection.aws.account_a + bucket = "aws-cloudtrail-logs-account-a" + file_layout = "AWSLogs/(%{DATA:org_id}/)?%{NUMBER:account_id}/CloudTrail/us-east-1/%{DATA}.json.gz" } } ``` @@ -36,12 +56,7 @@ Another `source` type, `file`, enables you to collect from local log files that ```hcl partition "aws_cloudtrail_log" "flaws" { source "file" { - paths = ["/Users/dboeke/flaws/flaws_cloudtrail_logs"] + paths = ["/Users/dboeke/flaws/flaws_cloudtrail_logs"] } } ``` - - - - -