indy 0.3.4 → 0.4.0.pre

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: daf391715ba62b54e26aceed291bb60ca7e4b44c
+  data.tar.gz: f02335c95b62f424f1325e87b95729da4d3c77ce
+SHA512:
+  metadata.gz: b5390c28c66aa47a30848e4fd72ea40753b8ae46cbc6c7f66b9f130c8adafbf9909e22d742f76271a311f48a21a3c4f416999de1cecda07485cf9c33a640ce6c
+  data.tar.gz: 5a6328e2c45a0872098192d5a3c73224cd487c54838ab4b7524483182bbe9b4d3dcce521d7065e6ad4782a35e8da45deee988d076fb9b8167980ed8dcb2da4e5

data/.gitignore

@@ -1,3 +1,12 @@
+.idea
 *.rbc
 nbproject
+.yardoc
+coverage
+doc
+rerun.txt
+Gemfile.lock
+misc
+.idea
+*.swp
 

data/.travis.yml

@@ -0,0 +1,8 @@
+language: ruby
+rvm:
+  - 2.0.0
+  - 1.9.3
+  - jruby-19mode # JRuby in 1.9 mode
+  - rbx-19mode
+  - 1.8.7
+  - ree

data/Guardfile

@@ -0,0 +1,12 @@
+guard 'rspec', :cli => "--color --format p" do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$}) { "spec" }
+  watch('spec/helper.rb') { "spec" }
+end
+
+guard 'cucumber', :cli => "--color --format progress" do
+  watch(%r{^features/.+\.feature$})
+  watch(%r{^features/step_definitions/.+\.rb$}) { "features" }
+  watch(%r{^features/step_definitions/support/.+\.rb$}) { "features" }
+  watch(%r{^lib/(.+)\.rb$}) { "features" }
+end

data/History.txt

@@ -1,3 +1,9 @@
+=== 0.4.0 / unreleased
+
+* Faster time scoped searches when using single line log formats
+* result[:entry] had replaced result[:line]
+* Indy#all has replaced Indy#for(:all)
+
 === 0.3.4 / 2011-08-07
 
 * Updated gemspec

data/README.md

@@ -15,12 +15,31 @@ To install Indy use the following command:
     
 (Add `sudo` if you're installing under a POSIX system as root)
 
+Compatibility
+-------------
+
+[![build status](https://travis-ci.org/bfaloona/Indy.png)](http://travis-ci.org/bfaloona/Indy)
+
+Indy supports MacOS, *nix, and MS Windows and runs on the following ruby flavors:
+
+  - 1.8.7
+  - 1.9.3
+  - 2.0.0
+  - ree
+  - jruby-19mode
+  - rbx-19mode
+
 Usage
 -----
 
-## Require Indy
+## Example
 
     require 'indy'
+    log = Indy.search(File.open('my_log.txt','r')).with(Indy::LOG4R_FORMAT)
+    puts log.all.first.raw_entry
+    # => "2012-09-07 10:01:40 INFO MyApp - Entering APPLICATION."
+    puts log.after(:time => '2012-09-07 20:00:00').for(:application => 'MyApp').first.message
+    # => "Exiting Application"
 
 ## Specify your Source
 
@@ -32,6 +51,7 @@ Usage
 
     Indy.search(file_object).for(:application => 'MyApp')
     Indy.search(:file => file_object).for(:application => 'MyApp')
+    Indy.search(:file => '/log/data.log').for(:application => 'MyApp')
 
 ### As a string
 
@@ -46,15 +66,19 @@ Usage
 ### Default Log Format
   
 The default log format follows this form:
-YYYY-MM-DD HH:MM:SS SEVERITY APPLICATION_NAME - MESSAGE
 
-Which uses this Regexp:
+    YYYY-MM-DD HH:MM:SS SEVERITY APPLICATION_NAME - MESSAGE
+
+which uses this regular expression:
+    
     /^(\d{4}.\d{2}.\d{2}\s+\d{2}.\d{2}.\d{2})\s+(TRACE|DEBUG|INFO|WARN|ERROR|FATAL)\s+(\w+)\s+-\s+(.+)$/
 
 and specifies these fields:  
+    
     [:time, :severity, :application, :message]
 
-For example:  
+allowing searches like so:
+    
     Indy.search(log_file).for(:severity => 'INFO')
     Indy.search(log_file).for(:application => 'MyApp', :severity => 'DEBUG')
 
@@ -120,10 +144,15 @@ Example:
 
 By default, Indy tries to guess your time format (courtesy of DateTime#parse). If you supply an explicit time format, it will use DateTime#strptime, as well as try to guess.
 
-This is required when log data uses a non-standard date format, e.g.: U.S. format 12-31-2000
+This is required when log data uses a non-standard date format, e.g.: U.S. format 12-31-2000, and must be used in
+conjunction with :entry_regexp and :entry_fields parameters.
 
-    # 12-31-2011 23:59:59
-    Indy.new(:time_format => '%m-%d-%Y %H:%M:%S', :source => LOG_FILE).for(:all)
+    # 12-31-2011 Application starting
+    Indy.new(   :time_format => '%m-%d-%Y',
+                :source => LOG_FILE,
+                :entry_regexp => /\d\d-\d\d-\d\d\d\d .*?/,
+                :entry_fields => [:time, :message]
+    ).all
 
 ## Match Criteria
 
@@ -152,28 +181,28 @@ Multiple scope methods can be called on an instance. Use #reset_scope to remove
 ### Time Scope
 
     # After Dec 1
-    Indy.search(source).after(:time => '2010-12-01 23:59:59').for(:all)
+    Indy.search(source).after(:time => '2010-12-01 23:59:59').all
 
     # 20 minutes Around New Year's eve
-    Indy.search(source).around(:time => '2011-01-01 00:00:00', :span => 20).for(:all)
+    Indy.search(source).around(:time => '2011-01-01 00:00:00', :span => 20).all
 
     # After Jan 1 but Before Feb 1
     @log = Indy.search(source)
     @log.after(:time => '2011-01-01 00:00:00').before(:time => '2011-02-01 00:00:00')
-    @log.for(:all)
+    @log.all
 
     # Within Jan 1 and Feb 1 (same time scope as above)
-    Indy.search(source).within(:time => ['2011-01-01 00:00:00','2011-02-01 00:00:00']).for(:all)
+    Indy.search(source).within(:start_time => '2011-01-01 00:00:00', :end_time =>'2011-02-01 00:00:00').all
 
     # After Jan 1
     @log = Indy.search(source)
     @log.after(:time => '2011-01-01 00:00:00')
-    @log.for(:all)
+    @log.all)
     # Reset the time scope to include entries before Jan 1
     @log.reset_scope
     # Before Feb 1
     @log.before(:time => '2011-02-01 00:00:00')
-    @log.for(:all)
+    @log.all
 
 ## Process the Results
 
@@ -233,4 +262,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
 IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
 CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
 TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -20,6 +20,13 @@ RSpec::Core::RakeTask.new(:perf) do |t|
   t.rspec_opts = ['-f d']
 end
 
+desc "Run code coverage"
+task :coverage do
+  ENV['COVERAGE'] = '1'
+  Rake::Task['spec'].invoke
+  Rake::Task['features'].invoke
+end
+
 desc "Run features"
 Cucumber::Rake::Task.new(:features) do |task|
   task.cucumber_opts = ["features", "-f progress"]

data/features/step_definitions/find_by.steps.rb

@@ -30,6 +30,6 @@ When /^searching the log for the exact match of custom field ([^"]+)\s*"([^"]+)"
 end
 
 Then /^I expect the (first|last|\d+(?:st|nd|rd|th)) entry to be:$/ do |position,expected|
-  @results[position].line.should == expected
+  @results[position].raw_entry.should == expected
 end
 

data/features/step_definitions/log_file.steps.rb

@@ -8,5 +8,5 @@ Given /^the following log:$/ do |string|
 end
 
 And /^the custom pattern \(([^\)]+)\):$/ do |fields,pattern|
-  @indy = @indy.with( [ pattern, fields.split(',').map{|f| f.to_sym} ].flatten)
+  @indy = @indy.with({ :entry_regexp => pattern, :entry_fields => fields.split(',').map{|f| f.to_sym} })
 end

data/features/step_definitions/time.steps.rb

@@ -4,26 +4,26 @@ When /^searching the log for the time (.+)$/ do |time|
 end
 
 When /^searching the log for all entries after( and including)? the time (.+)$/ do |inclusive,time|
-  @results = @indy.after(:time => time, :inclusive => (inclusive ? true : false)).for(:all)
+  @results = @indy.after(:time => time, :inclusive => (inclusive ? true : false)).all
 end
 
 When /^searching the log for all entries before( and including)? the time (.+)$/ do |inclusive,time|
-  @results = @indy.before(:time => time, :inclusive => (inclusive ? true : false)).for(:all)
+  @results = @indy.before(:time => time, :inclusive => (inclusive ? true : false)).all
 end
 
 When /^searching the log for all entries between( and including)? the times? (.+) and (.+)$/ do |inclusive,start,stop|
-  @results = @indy.within(:time => [start,stop], :inclusive => (inclusive ? true : false)).for(:all)
+  @results = @indy.within(:start_time => start,  :end_time => stop, :inclusive => (inclusive ? true : false)).all
 end
 
 When /^searching the log for all entries (\d+) minutes around( and including)? the time (.+)$/ do |time_span,inclusive,time|
-  @results = @indy.around(:time => time, :span => time_span, :inclusive => (inclusive ? true : false)).for(:all)
+  @results = @indy.around(:time => time, :span => time_span, :inclusive => (inclusive ? true : false)).all
 end
 
 When /^searching the log for all entries (\d+) minutes after( and including)? the time (.+)$/ do |time_span,inclusive,time|
-  @results = @indy.after(:time => time, :span => time_span, :inclusive => (inclusive ? true : false)).for(:all)
+  @results = @indy.after(:time => time, :span => time_span, :inclusive => (inclusive ? true : false)).all
 end
 
 When /^searching the log for all entries (\d+) minutes before( and including)? the time (.+)$/ do |time_span,inclusive,time|
-  @results = @indy.before(:time => time, :span => time_span, :inclusive => (inclusive ? true : false)).for(:all)
+  @results = @indy.before(:time => time, :span => time_span, :inclusive => (inclusive ? true : false)).all
 end
 

data/indy.gemspec

@@ -1,12 +1,11 @@
 $LOAD_PATH.unshift File.expand_path("../lib", __FILE__)
 require 'indy/version'
 
-
 Gem::Specification.new do |s|
   s.name        = 'indy'
   s.version     = ::Indy::VERSION
   s.authors     = ["Franklin Webber","Brandon Faloona"]
-  s.description = %{ Indy is a log archelogy library that treats logs like data structures. Search fixed format or custom logs by field and/or time. }
+  s.description = %{ Indy is a log archaeology library that treats logs like data structures. Search standard or custom log formats by field and/or time. }
   s.summary     = "indy-#{s.version}"
   s.email       = 'brandon@faloona.net'
   s.homepage    = "http://github.com/bfaloona/Indy"
@@ -16,17 +15,27 @@ Gem::Specification.new do |s|
   s.required_ruby_version = '>= 1.8.5'
   s.add_dependency('activesupport', '>= 2.3.5')
 
+  s.add_development_dependency('rake')
   s.add_development_dependency('i18n')
-  s.add_development_dependency('cucumber', '>= 0.10.0')
+  s.add_development_dependency('cucumber', '>= 1.1.0')
   s.add_development_dependency('yard', '>= 0.7.2')
-  s.add_development_dependency('yard-cucumber', '>= 2.1.1')
-  s.add_development_dependency('rspec', '>= 2.4.0')
-  s.add_development_dependency('rspec-mocks', '>= 2.4.0')
-  s.add_development_dependency('flog', '>= 2.5.0')
-#  s.add_development_dependency('rspec-prof', '>= 0.0.3')
-#  s.add_development_dependency('simplecov', '>= 0.4.0')
-#  s.add_development_dependency('ruby-debug19', '>= 0.11.0')
-#  s.add_development_dependency('rbx-linecache')
+  s.add_development_dependency('rspec', '>= 2.9.0')
+  s.add_development_dependency('rspec-mocks', '>= 2.9.0')
+  s.add_development_dependency('rb-fsevent')
+  s.add_development_dependency('ruby_gntp')
+  s.add_development_dependency('growl')                                
+
+  unless ENV['TRAVIS'] == 'true'
+    s.add_development_dependency('yard-cucumber', '>= 2.1.1')
+    s.add_development_dependency('flog', '>= 2.5.0')
+    s.add_development_dependency('guard')
+    unless ENV['RUBY_VERSION'] &&  ENV['RUBY_VERSION'].match(/jruby|rbx/)
+      s.add_development_dependency('guard-rspec')
+      s.add_development_dependency('guard-cucumber')
+      s.add_development_dependency('rspec-prof', '>= 0.0.3')
+      s.add_development_dependency('simplecov', '>= 0.4.0')
+    end
+  end
 
   changes = Indy.show_version_changes(::Indy::VERSION)
 
@@ -43,8 +52,7 @@ Gem::Specification.new do |s|
 
   }
 
-  
-  s.rubygems_version  = "1.6.1"
+  # s.rubygems_version  = "1.6.1"
 
   exclusions          = [File.join("performance", "large.log")]
   s.files             = `git ls-files`.split("\n") - exclusions

data/lib/indy.rb

@@ -1,6 +1,12 @@
 begin
   require 'simplecov'
-  SimpleCov.start if ENV["COVERAGE"]
+  if ENV["COVERAGE"]
+    SimpleCov.start do
+      add_filter "/spec/"
+      add_filter "/performance/"
+      add_filter "/features/"
+    end
+  end
 rescue Exception => e
   # ignore
 end
@@ -8,7 +14,9 @@ end
 $:.unshift(File.dirname(__FILE__)) unless
   $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
 
+require 'indy/log_definition'
 require 'indy/source'
+require 'indy/search'
 require 'indy/indy'
-require 'indy/result_set'
 require 'indy/log_formats'
+require 'indy/time'

data/lib/indy/indy.rb

@@ -1,200 +1,126 @@
-require 'active_support/core_ext'
-
 class Indy
 
-  def self.suppress_warnings(&block)
-    verbose = $VERBOSE
-    $VERBOSE = nil
-    yield block
-    $VERBOSE = verbose
-  end
-
-  # hash with one key (:string, :file, or :cmd) set to the string that defines the log
-  attr_accessor :source
-
-  # array with regexp string and capture groups followed by log field
-  # name symbols. :time field is required to use time scoping
-  attr_accessor :log_format
-
-  # format string for explicit date/time format (optional)
-  attr_accessor :time_format
-
-  # initialization flag (true || nil) to enable multiline log entries. See README
-  attr_accessor :multiline
+  # search object
+  attr_accessor :search
 
   #
-  # Initialize Indy. Also see class method Indy.search()
+  # Initialize Indy. Also see class method Indy#search.
   #
   # @example
   #
-  #  Indy.new(:source => LOG_FILE)
   #  Indy.new(:source => LOG_CONTENTS_STRING)
   #  Indy.new(:source => {:cmd => LOG_COMMAND_STRING})
-  #  Indy.new(:log_format => [LOG_REGEX_PATTERN,:time,:application,:message],:source => LOG_FILE)
-  #  Indy.new(:time_format => '%m-%d-%Y',:pattern => [LOG_REGEX_PATTERN,:time,:application,:message],:source => LOG_FILE)
+  #  Indy.new(:entry_regexp => LOG_REGEX_PATTERN, :entry_fields => [:time,:application,:message], :source => LOG_FILE)
+  #  Indy.new(:time_format => '%m-%d-%Y', :entry_regexp => LOG_REGEX_PATTERN, :entry_fields => [:time,:application,:message], :source => LOG_FILE)
   #
   def initialize(args)
-    @source = @log_format = @time_format = @log_regexp = @log_fields = @multiline = nil
-
-    while (arg = args.shift) do
-      send("#{arg.first}=",arg.last)
-    end
-
-    update_log_format( @log_format )
-
-  end
-
-  #
-  # Create an Indy::Source object to manage the log source
-  #
-  # @param [String,Hash] source A filename, or log content as a string. Use a Hash with :cmd key to specify a command string.
-  #
-  def source=(param)
-    @source = Source.new(param)
+    params_hash = args.dup
+    raise ArgumentError, "Source parameter not specified" unless (params_hash.respond_to?(:keys) && params_hash.keys.include?(:source))
+    source_param = params_hash[:source]
+    params_hash.delete :source
+    log_definition = LogDefinition.new(params_hash)
+    @search = Search.new(:log_definition => log_definition)
+    @search.source = Source.new(source_param,log_definition)
   end
 
   class << self
 
     #
-    # Create a new instance of Indy with @source, or multiple, parameters
-    # specified.  This allows for a more fluent creation that moves 
-    # into the execution.
+    # Create a new instance of Indy specifying source, or multiple parameters.
     #
-    # @param [String,Hash] params To specify @source, provide a filename or
-    #   log contents as a string. To specify a command, use a :cmd => STRING hash.
-    #   Alternately, a Hash with a :source key (amoung others) can be used to
-    #   provide multiple initialization parameters.
+    # @param [String,Hash] params To specify a source directly, provide log contents
+    #   as a string. Using a hash you can specify source with a :cmd or :file key.
+    #   Alternately, a hash with a :source key (among others) can be used to
+    #   provide multiple initialization parameters. See Indy#new.
     #
-    # @example filename source
-    #   Indy.search("apache.log").for(:severity => "INFO")
-    #   
     # @example string source
-    #   Indy.search("INFO 2000-09-07 MyApp - Entering APPLICATION.\nINFO 2000-09-07 MyApp - Entering APPLICATION.").for(:all)
+    #   Indy.search("INFO 2000-09-07 MyApp - Entering APPLICATION.\nINFO 2000-09-07 MyApp - Entering APPLICATION.").all
     #
     # @example command source
-    #   Indy.search(:cmd => "cat apache.log").for(:severity => "INFO")
+    #   Indy.search(:cmd => "cat apache.log").all
+    #
+    # @example file source
+    #   Indy.search(:file => "/logs/apache.log").all
     #
-    # @example source as well as other paramters
-    #   Indy.search(:source => {:cmd => "cat apache.log"}, :log_format => LOG_FORMAT, :time_format => MY_TIME_FORMAT).for(:all)
+    # @example source as well as other parameters
+    #   Indy.search(:source => {:cmd => "cat apache.log"}, :entry_regexp => REGEXP, :entry_fields => [:field_one, :field_two], :time_format => MY_TIME_FORMAT).all
     #
     def search(params=nil)
-  
       if params.respond_to?(:keys) && params[:source]
         Indy.new(params)
       else
-        Indy.new(:source => params, :log_format => DEFAULT_LOG_FORMAT)
+        Indy.new(:source => params, :entry_regexp => LogFormats::DEFAULT_ENTRY_REGEXP, :entry_fields => LogFormats::DEFAULT_ENTRY_FIELDS)
       end
     end
 
-    #
-    # Return a Struct::Line object from a hash of values from a log entry
-    #
-    # @param [Hash] line_hash a hash of :field_name => value pairs for one log line
-    #
-    def create_struct( line_hash )
-      params = line_hash.keys.sort_by{|e|e.to_s}.collect {|k| line_hash[k]}
-      Struct::Line.new( *params )
-    end
-
   end
 
-
   #
-  # Specify the log format to use as the comparison against each line within
+  # Specify the log format to use as the comparison against each entry within
   # the log file that has been specified.
   #
-  # @param [Array] log_format an Array with the regular expression as the first element
+  # @param [Array,LogDefinition] log_definition either a LogDefinition object or an Array with the regular expression as the first element
   #        followed by list of fields (Symbols) in the log entry
-  #        to use for comparison against each log line.
+  #        to use for comparison against each log entry.
   #
   # @example Log formatted as - HH:MM:SS Message
   #
   #  Indy.search(LOG_FILE).with(/^(\d{2}.\d{2}.\d{2})\s*(.+)$/,:time,:message)
   #
-  def with(log_format = :default)
-    update_log_format( log_format )
+  def with(params=:default)
+    @search.log_definition = LogDefinition.new(params)
     self
   end
-  
+
   #
-  # Search the source and make an == comparison
+  # Return all entries
   #
-  # @param [Hash,Symbol] search_criteria the field to search for as the key and the
-  #        value to compare against the other log messages.  This function also
-  #        supports symbol :all to return all messages
-  #
-  def for(search_criteria)
-    results = ResultSet.new
-    case search_criteria
-    when Enumerable
-      results += _search do |result|
-        result_struct = Indy.create_struct(result) if search_criteria.reject {|criteria,value| result[criteria] == value }.empty?
-        yield result_struct if block_given? and result_struct
-        result_struct
-      end
-
-    when :all
-      results += _search do |result|
-        result_struct = Indy.create_struct(result)
-        yield result_struct if block_given?
-        result_struct
-      end
-    end
-
-    results.compact
+  def all(&block)
+    @search.iterate_and_compare(:all,nil,&block)
   end
 
+  #
+  # Search the source and make an == comparison
+  #
+  # @param [Hash] search_criteria the field to search for as the key and the
+  #        value to compare against the log entries.
+  #
+  def for(search_criteria,&block)
+    @search.iterate_and_compare(:for,search_criteria,&block)
+  end
 
   #
   # Search the source and make a regular expression comparison
   #
   # @param [Hash] search_criteria the field to search for as the key and the
-  #        value to compare against the other log messages
+  #         value to compare against the log entries.
+  #         The value will be treated as a regular expression.
   #
   # @example For all applications that end with Service
   #
   #  Indy.search(LOG_FILE).like(:application => '.+service')
   #
-  def like(search_criteria)
-    results = ResultSet.new
-
-    results += _search do |result|
-      result_struct = Indy.create_struct(result) if search_criteria.reject {|criteria,value| result[criteria] =~ /#{value}/i }.empty?
-      yield result_struct if block_given? and result_struct
-      result_struct
-    end
-
-    results.compact
+  def like(search_criteria,&block)
+    @search.iterate_and_compare(:like,search_criteria,&block)
   end
-
   alias_method :matching, :like
 
-
   #
-  # Scopes the eventual search to the last N entries, or last N minutes of entries.
+  # Scopes the eventual search to the last N minutes of entries.
   #
   # @param [Hash] scope_criteria hash describing the amount of time at
-  # the last portion of the source
+  #         the last portion of the source
   #
   # @example For last 10 minutes worth of entries
   #
-  #   Indy.search(LOG_FILE).last(:span => 100).for(:all)
+  #   Indy.search(LOG_FILE).last(:span => 10).all
   #
   def last(scope_criteria)
-    case scope_criteria
-    when Enumerable
-      raise ArgumentError unless scope_criteria[:span] || scope_criteria[:rows]
-      
-      if scope_criteria[:span]
-        span = (scope_criteria[:span].to_i * 60).seconds
-        starttime = parse_date(last_entry[:_time]) - span
-
-        within(:time => [starttime, forever])
-      end
-    else
-      raise ArgumentError, "Invalid parameter: #{scope_criteria.inspect}"
-    end
-
+    raise ArgumentError, "Unsupported parameter to last(): #{scope_criteria.inspect}" unless scope_criteria.respond_to?(:keys) and scope_criteria[:span]
+    span = (scope_criteria[:span].to_i * 60).seconds
+    entry = last_entries(1)[0]
+    start_time = Indy::Time.parse_date(entry[:time],@search.log_definition.time_format) - span
+    within(:start_time => start_time, :end_time => Indy::Time.forever(@search.log_definition.time_format))
     self
   end
 
@@ -207,32 +133,14 @@ class Indy
   #
   # @example For all messages after specified date
   #
-  #   Indy.search(LOG_FILE).after(:time => time).for(:all)
+  #   Indy.search(LOG_FILE).after(:time => time).all
   #
   def after(scope_criteria)
-    if scope_criteria[:time]
-      time = parse_date(scope_criteria[:time])
-      @inclusive = @inclusive || scope_criteria[:inclusive] || nil
-
-      if scope_criteria[:span]
-        span = (scope_criteria[:span].to_i * 60).seconds
-        within(:time => [time, time + span])
-      else
-        @start_time = time
-      end
-    end
-
+    params = scope_criteria.merge({:direction => :after})
+    within(params)
     self
   end
 
-  #
-  # Removes any existing start and end times from the instance
-  # Otherwise consecutive search calls retain time scope state
-  #
-  def reset_scope
-    @inclusive = @start_time = @end_time = nil
-  end
-    
   #
   # Scopes the eventual search to all entries prior to this point.
   #
@@ -241,36 +149,25 @@ class Indy
   #
   # @example For all messages before specified date
   #
-  #   Indy.search(LOG_FILE).before(:time => time).for(:all)
-  #   Indy.search(LOG_FILE).before(:time => time, :span => 10).for(:all)
+  #   Indy.search(LOG_FILE).before(:time => time).all
+  #   Indy.search(LOG_FILE).before(:time => time, :span => 10).all
   #
   def before(scope_criteria)
-    if scope_criteria[:time]
-      time = parse_date(scope_criteria[:time])
-      @inclusive = @inclusive || scope_criteria[:inclusive] || nil
-
-      if scope_criteria[:span]
-        span = (scope_criteria[:span].to_i * 60).seconds
-        within(:time => [time - span, time], :inclusive => scope_criteria[:inclusive])
-      else
-        @end_time = time
-      end
-    end
-
-    self
+    params = scope_criteria.merge({:direction => :before})
+    within(params)
   end
 
+  #
+  # Scopes the eventual search to all entries near this point.
+  #
+  # @param [Hash] scope_criteria the hash containing :time and :span (in minutes) to scope the log.
+  #               :span defaults to 5 minutes.
+  #
   def around(scope_criteria)
-    if scope_criteria[:time]
-      time = parse_date(scope_criteria[:time])
-
-      @inclusive = nil
-      warn "Ignoring inclusive scope_criteria" if scope_criteria[:inclusive]
-
-      half_span = ((scope_criteria[:span].to_i * 60)/2).seconds rescue 300.seconds
-      within(:time => [time - half_span, time + half_span])
-    end
-
+    raise ArgumentError unless scope_criteria.respond_to?(:keys) and scope_criteria[:time]
+    time = Indy::Time.parse_date(scope_criteria[:time])
+    mid_span = ((scope_criteria[:span].to_i * 60)/2).seconds rescue 300.seconds
+    within(:start_time => time - mid_span, :end_time => time + mid_span, :inclusive => nil)
     self
   end
 
@@ -278,264 +175,46 @@ class Indy
   #
   # Scopes the eventual search to all entries between two times.
   #
-  # @param [Hash] scope_criteria the field to scope for as the key and the
-  #        value to compare against the other log messages
+  # @param [Hash] params the :start_time, :end_time and :inclusive key/value pairs
   #
   # @example For all messages within the specified dates
   #
-  #   Indy.search(LOG_FILE).within(:time => [start_time,stop_time]).for(:all)
+  #   Indy.search(LOG_FILE).within(:start_time => start_time, :end_time => end_time, :inclusive => true).all
   #
-  def within(scope_criteria)
-    if scope_criteria[:time]
-      @start_time, @end_time = scope_criteria[:time].collect {|str| parse_date(str) }
-
-      @inclusive = @inclusive || scope_criteria[:inclusive] || nil
-    end
-
+  def within(params)
+    @search.time_scope(params)
     self
   end
 
-
-  private
-
-  #
-  # Set @pattern as well as @log_regexp, @log_fields, and @time_field
-  #
-  # @param [Array] pattern_array an Array with the regular expression as the first element
-  #        followed by list of fields (Symbols) in the log entry
-  #        to use for comparison against each log line.
-  #
-  def update_log_format( log_format )
-
-    case log_format
-    when :default, nil
-      @log_format = DEFAULT_LOG_FORMAT
-    else
-      @log_format = log_format
-    end
-
-    @log_regexp, *@log_fields = @log_format
-
-    @time_field = ( @log_fields.include?(:time) ? :time : nil )
-
-    # now that we know the fields
-    define_struct
-
-  end
-
-  #
-  # Search the @source and yield to the block the line that was found
-  # with @log_regexp and @log_fields
-  #
-  # This method is supposed to be used internally.
-  #
-  def _search(&block)
-
-    line_matched = nil
-    time_search = use_time_criteria?
-
-    source_io = @source.open(time_search)
-
-    if @multiline
-      results = source_io.read.scan(Regexp.new(@log_regexp, Regexp::MULTILINE)).collect do |entry|
-
-        hash = parse_line(entry)
-        hash ? (line_matched = true) : next
-
-        if time_search
-          set_time(hash)
-          next unless inside_time_window?(hash)
-        else
-          hash[:_time] = nil if hash
-        end
-
-        block_given? ? block.call(hash) : nil
-      end
-
-    else
-      results = source_io.collect do |line|
-        hash = parse_line(line)
-        hash ? (line_matched = true) : next
-
-        if time_search
-          set_time(hash)
-          next unless inside_time_window?(hash)
-        else
-          hash[:_time] = nil if hash
-        end
-
-        block_given? ? block.call(hash) : nil
-      end
-
-    end
-
-#    warn "No matching lines found in source: #{source_io.class}" unless line_matched
-
-    results.compact
-  end
-
-  #
-  # Return a hash of field=>value pairs for the log line
-  #
-  # @param [String] line The log line
-  # @param [Array] pattern_array The match regexp string, followed by log fields
-  #   see Class method search
-  #
-  def parse_line( line )
-
-    if line.kind_of? String
-      match_data = nil
-      Indy.suppress_warnings { match_data = /#{@log_regexp}/.match(line) }
-      return nil unless match_data
-
-      values = match_data.captures
-      entire_line = line.strip
-
-    elsif line.kind_of? Enumerable
-
-      entire_line = line.shift
-      values = line 
-    end
-    
-    raise "Field mismatch between log pattern and log data. The data is: '#{values.join(':::')}'" unless values.length == @log_fields.length
-
-    hash = Hash[ *@log_fields.zip( values ).flatten ]
-    hash[:line] = entire_line.strip
-
-    hash
-  end
-
-  #
-  #  Return true if start or end time has been set, and a :time field exists
-  #
-  def use_time_criteria?
-    if @start_time || @end_time
-      # ensure both boundaries are set
-      @start_time = @start_time || forever_ago
-      @end_time = @end_time || forever
-    end
-
-    return (@time_field && @start_time && @end_time)
-  end
-
-
-  #
-  # Set the :_time value in the hash
-  #
-  # @param [Hash] hash The log line hash to modify
-  #
-  def set_time(hash)
-    hash[:_time] = parse_date( hash ) if hash
-  end
-
-  #
-  # Evaluate if a log line satisfies the configured time conditions
-  #
-  # @param [Hash] line_hash The log line hash to be evaluated
-  #
-  def inside_time_window?( line_hash )
-
-    if line_hash && line_hash[:_time]
-      if @inclusive
-        true unless line_hash[:_time] > @end_time or line_hash[:_time] < @start_time
-      else
-        true unless line_hash[:_time] >= @end_time or line_hash[:_time] <= @start_time
-      end
-    end
-
-  end
-
-  #
-  # Return a valid DateTime object for the log line or string
-  #
-  # @param [String, Hash] param The log line hash, or string to be evaluated
-  #
-  def parse_date(param)
-    return nil unless @time_field
-    return param if param.kind_of? Time or param.kind_of? DateTime
-    
-    time_string = param.is_a?(Hash) ? param[@time_field] : param.to_s
-
-    if @time_format
-      begin
-        # Attempt the appropriate parse method
-        DateTime.strptime(time_string, @time_format)
-      rescue
-        # If appropriate, fall back to simple parse method
-        DateTime.parse(time_string) rescue nil
-      end
-    else
-      begin
-        Time.parse(time_string)
-      rescue Exception => e
-        raise "Failed to create time object. The error was: #{e.message}"
-      end
-    end
-
-  end
-
-  #
-  # Return a time or datetime object way in the future
-  #
-  def forever
-    @time_format ? DateTime.new(4712) : Time.at(0x7FFFFFFF)
-  end
-
   #
-  # Return a time or datetime object way in the past
+  # Removes any existing start and end times from the instance
+  # Otherwise consecutive search calls retain time scope state
   #
-  def forever_ago
-    begin
-      @time_format ? DateTime.new(-4712) : Time.at(-0x7FFFFFFF)
-    rescue
-      # Windows Ruby Time can't handle dates prior to 1969
-      @time_format ? DateTime.new(-4712) : Time.at(0)
-    end
+  def reset_scope
+    @search.reset_scope
   end
 
-  #
-  # Define Struct::Line with the fields configured with @pattern
-  #
-  def define_struct
-    fields = (@log_fields + [:_time, :line]).sort_by{|e|e.to_s}
-    Indy.suppress_warnings { Struct.new( "Line", *fields ) }
-  end
 
-  #
-  # Return a Struct::Line for the last valid entry from the source
-  #
-  def last_entry
-    last_entries(1)
-  end
+  private
 
   #
-  # Return an array of Struct::Line entries for the last N valid entries from the source
+  # Return an array of Struct::Entry objects for the last N valid entries from the source
   #
-  # @param [Fixnum] num the number of rows to retrieve
+  # @param [Fixnum] num the number of entries to retrieve
   #
   def last_entries(num)
-
     num_entries = 0
     result = []
-
-    source_io = @source.open
-
-    source_io.reverse_each do |line|
-
-      hash = parse_line(line)
-
-      set_time(hash) if @time_field
-
+    source_io = @search.source.open
+    source_io.reverse_each do |entry|
+      hash = @search.log_definition.parse_entry(entry)
       if hash
         num_entries += 1
         result << hash
         break if num_entries >= num
       end
     end
-
-    warn "#last_entries found no matching lines in source." if result.empty?
-
-    num == 1 ? Indy.create_struct(result.first) : result.collect{|e| Indy.create_struct(e)}
+    result.collect{|entry| @search.log_definition.create_struct(entry)}
   end
 
 end