For logs coming from the Datadog Agent, use this processor to exclude or include specific tags in the Datadog tags (ddtags) array. Tags that are excluded or not included are dropped and may reduce your outbound log volume.

To set up the processor:

1. Define a filter query. Only matching logs are processed by this processor, but all logs continue to the next step in the pipeline.
2. Optionally, input a Datadog tags array for the Configure tags section. The supported formats are ["key:value", "key"]. See Define Tags for more information about the key:value format.
3. In the Configure tags section, choose whether to Exclude tags or Include tags. If you provided a tag array in the previous step, select the tag keys you want to configure. You can also manually add tag keys. Note: You can select up to 100 tags.

Filter query syntax

Each processor has a corresponding filter query in their fields. Processors only process logs that match their filter query. And for all processors except the filter processor, logs that do not match the query are sent to the next step of the pipeline. For the filter processor, logs that do not match the query are dropped.

The following are filter query examples:

• NOT (status:debug): This filters for logs that do not have the status DEBUG.
• status:ok service:flask-web-app: This filters for all logs with the status OK from your flask-web-app service.
  • This query can also be written as: status:ok AND service:flask-web-app.
• host:COMP-A9JNGYK OR host:COMP-J58KAS: This filter query only matches logs from the labeled hosts.
• user.status:inactive: This filters for logs with the status inactive nested under the user attribute.
• http.status:[200 TO 299] or http.status:{300 TO 399}: These two filters represent the syntax to query a range for http.status. Ranges can be used across any attribute.

Learn more about writing filter queries in Observability Pipelines Search Syntax.