fluent-plugin-cloudwatch-ingest 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fa80f0aefe36b47c5f3045887a5302ad336218a9
-  data.tar.gz: 7e2c49d83bdefa4d7a4bac558cebc540701c0ab5
+  metadata.gz: 8f7d5923cde41024c0c47da234c11e928c4f1e20
+  data.tar.gz: 3fe64dbc099cb12f0a1419add3f5b92ff33b6bec
 SHA512:
-  metadata.gz: 9d6b4dddbfce28d62059e97890083b3722c1dda9e607665db910394318f32976d7dd32f80061e1a26613e1c9a06e6249af70d75e0a684ea985ab206783d16042
-  data.tar.gz: 71587df57dd7cc6500b1f203888a16d4bfd73a584e3412f1d6dd9d27c21e61a6276b5d2e45d5f3e7768d7fd770a96b2c28becfd063a790e6922ff439f3061c16
+  metadata.gz: ce09d0fd283d29189fd50e503caeee7904482e205c27926993fda0649b2eb5fbae313fc49a919ce0a364c3e875068b7948879839db00864fe488b7f118a47d00
+  data.tar.gz: 4f8d9aeb782b1569ef3cccb1edffd232e02e2fef6f311ddc8224fc43d1165574e3e7cf70737d4fd681e34f5b8d67aaf437e7df3c2131f6cde31b74d6c88546a8

data/README.md

@@ -47,9 +47,11 @@ Or install it yourself as:
     @type cloudwatch_ingest
     expression /^(?<message>.+)$/
     time_format %Y-%m-%d %H:%M:%S.%L
-    event_time true         # take time from the Cloudwatch event, rather than parse it from the body
-    inject_group_name true  # inject the group name into the record
-    inject_stream_name true # inject the stream name into the record
+    event_time true               # take time from the Cloudwatch event, rather than parse it from the body
+    inject_group_name true        # inject the group name into the record
+    inject_stream_name true       # inject the stream name into the record
+    parse_json_body false         # Attempt to parse the body as json and add structured fields from the result
+    fail_on_unparsable_json false # If the body cannot be parsed as json do not ingest the record
   </parse>
 </source>
 ```
@@ -70,6 +72,13 @@ When the state file is located on a shared filesystem an exclusive write lock wi
 As such it is safe to run multiple instances of this plugin consuming from the same CloudWatch logging source without fear of duplication, as long as they share a state file.
 In a properly configured auto-scaling group this provides for uninterrupted log ingestion in the event of a failure of any single node.
 
+### JSON parsing
+With the `parse_json_body` option set to `true` the plugin will attempt to parse the body of the log entry as JSON. If this is successful any field/value pairs found will be added to the emitted record as structured fields.
+
+If `fail_on_unparsable_json` is set to `true` a record body consisting of malformed json will cause the record to be rejected. You may wish to leave this setting as false if the plugin is ingesting multiple log groups with a mixture of json/structured and unstructured content.
+
+The `expression` is applied before JSON parsing is attempted. One may therefore extract a JSON fragment from within the event body if it is decorated with additional free-form text.
+
 ### Sub-second timestamps
 When using `event_time true` the `@timestamp` field for the record is taken from the time recorded against the event by Cloudwatch. This is the most common mode to run in as it's an easy path to normalization: all of your Lambdas or other AWS service need not have the same, valid, `time_format` nor a regex that matches every case.
 
@@ -78,9 +87,7 @@ If your output plugin supports sub-second precision (and you're running fluentd
 #### Elasticsearch
 It is a common pattern to use fluentd alongside the [fluentd-plugin-elasticsearch](https://github.com/uken/fluent-plugin-elasticsearch) plugin, either directly or via [fluent-plugin-aws-elasticsearch-service](https://github.com/atomita/fluent-plugin-aws-elasticsearch-service), to ingest logs into Elasticsearch.
 
-At present there is a bug within this plugin that, via an unwise cast, causes records without a named timestamp field to be cast to `DateTime`, losing the precision. This PR: https://github.com/uken/fluent-plugin-elasticsearch/pull/249 fixes that issue. If you need this functionality then I would urge you to comment and express interest over there.
-
-Failing that I maintain my own fork of that repository with the fix in place: https://github.com/sampointer/fluent-plugin-elasticsearch/tree/add_configurable_time_precision_when_timestamp_missing
+Prior to version 1.9.5 there was a bug within that plugin which, via an unwise cast, caused records without a named timestamp field to be cast to `DateTime`, losing the precision. This PR: https://github.com/uken/fluent-plugin-elasticsearch/pull/249 fixed that issue.
 
 ### IAM
 IAM is a tricky and often bespoke subject. Here's a starter that will ingest all of the logs for all of your Lambdas in the account in which the plugin is running:
@@ -116,8 +123,7 @@ IAM is a tricky and often bespoke subject. Here's a starter that will ingest all
 ```
 
 ### Cross-account authentication
-Is a tricky subject that probably cannot be described here. Broadly speaking the IAM instance role of the host on which the plugin is running
-needs to be able to `sts:AssumeRole` the `sts_arn` (and obviously needs `sts_enabled` to be true).
+Broadly speaking the IAM instance role of the host on which the plugin is running needs to be able to `sts:AssumeRole` the `sts_arn` (and obviously needs `sts_enabled` to be true).
 
 The assumed role should look more-or-less like that above in terms of the actions and resource combinations required.
 

data/fluent-plugin-cloudwatch-ingest.gemspec

@@ -34,4 +34,5 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'fluentd', '~>0.14.13'
   spec.add_dependency 'aws-sdk', '~>2.8.4'
+  spec.add_dependency 'multi_json', '~>1.12'
 end

data/lib/fluent/plugin/cloudwatch/ingest/version.rb

@@ -2,7 +2,7 @@ module Fluent
   module Plugin
     module Cloudwatch
       module Ingest
-        VERSION = '0.4.0'.freeze
+        VERSION = '0.5.0'.freeze
       end
     end
   end

data/lib/fluent/plugin/parser_cloudwatch_ingest.rb

@@ -1,5 +1,6 @@
 require 'fluent/plugin/parser_regexp'
 require 'fluent/time'
+require 'multi_json'
 
 module Fluent
   module Plugin
@@ -11,6 +12,8 @@ module Fluent
       config_param :event_time, :bool, default: true
       config_param :inject_group_name, :bool, default: true
       config_param :inject_stream_name, :bool, default: true
+      config_param :parse_json_body, :bool, default: false
+      config_param :fail_on_unparsable_json, :bool, default: false
 
       def initialize
         super
@@ -28,6 +31,18 @@ module Fluent
           record = r
         end
 
+        # Optionally attempt to parse the body as json
+        if @parse_json_body
+          begin
+            record.merge!(MultiJson.load(record))
+          rescue MultiJson::ParseError
+            if @fail_on_unparsable_json
+              yield nil, nil
+              return
+            end
+          end
+        end
+
         # Inject optional fields
         record['log_group_name'] = group if @inject_group_name
         record['log_stream_name'] = stream if @inject_stream_name

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-cloudwatch-ingest
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Sam Pointer
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-05-25 00:00:00.000000000 Z
+date: 2017-06-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -94,6 +94,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.8.4
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
 description: Fluentd plugin to ingest AWS Cloudwatch logs
 email:
 - san@outsidethe.net