Create and manage log transformers

A log transformer includes one or more processors that are in a logical pipeline together. Each processor is applied to a log event, one after the other in the order that they are listed in the transformer configuration.

Some processors are of the parser type. Each transformer must have at least one parser, and the first processor in a transformer must be a parser.

Some of the parsers are built-in parsers that are configured for a certain type of AWS vended log.

Other processor types are string mutators, JSON mutators, and data processors.

You must follow these guidelines when you create a transformer:

If you include a pre-configured parser for a type of AWS vended logs, it must be the first processor listed in the transformer. You can include only one such processor in a transformer.
You can include only one grok processor in a transformer.
You must have at least one parser-type processor in a transformer. You can include as many as five parser-type processors. This limit of five includes both built-in parsers and configurable parsers.
You can have as many as 20 processors in a transformer.
You can include only one addKeys processor in a transformer.
You can include only one copyValue processor in a transformer.
Each transformer can extract up to 200 fields from a log event.

For more information about all supported processors and their syntax, see Processors that you can use.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Transform logs during ingestion

Create a log transformer from scratch