logstash-core 2.2.4.snapshot1

data/lib/logstash/util/worker_threads_default_printer.rb

@@ -0,0 +1,29 @@
+# encoding: utf-8
+require "logstash/namespace"
+require "logstash/util"
+
+# This class exists to format the settings for default worker threads
+module LogStash module Util class WorkerThreadsDefaultPrinter
+
+  def initialize(settings)
+    @setting = settings.fetch(:pipeline_workers, 0)
+    @default = settings.fetch(:default_pipeline_workers, 0)
+  end
+
+  def visit(collector)
+    visit_setting(collector)
+    visit_default(collector)
+  end
+
+  def visit_setting(collector)
+    return if @setting == 0
+    collector.push("User set pipeline workers: #{@setting}")
+  end
+
+  def visit_default(collector)
+    return if @default == 0
+    collector.push "Default pipeline workers: #{@default}"
+  end
+
+end end end
+

data/lib/logstash/util/wrapped_synchronous_queue.rb

@@ -0,0 +1,41 @@
+# encoding: utf-8
+
+module LogStash; module Util
+  class WrappedSynchronousQueue
+    java_import java.util.concurrent.SynchronousQueue
+    java_import java.util.concurrent.TimeUnit
+
+    def initialize()
+      @queue = java.util.concurrent.SynchronousQueue.new()
+    end
+
+    # Push an object to the queue if the queue is full
+    # it will block until the object can be added to the queue.
+    #
+    # @param [Object] Object to add to the queue
+    def push(obj)
+      @queue.put(obj)
+    end
+    alias_method(:<<, :push)
+
+    # Offer an object to the queue, wait for the specified amout of time.
+    # If adding to the queue was successfull it wil return true, false otherwise.
+    #
+    # @param [Object] Object to add to the queue
+    # @param [Integer] Time in milliseconds to wait before giving up
+    # @return [Boolean] True if adding was successfull if not it return false
+    def offer(obj, timeout_ms)
+      @queue.offer(obj, timeout_ms, TimeUnit::MILLISECONDS)
+    end
+
+    # Blocking
+    def take
+      @queue.take()
+    end
+
+    # Block for X millis
+    def poll(millis)
+      @queue.poll(millis, TimeUnit::MILLISECONDS)
+    end
+  end
+end end

data/lib/logstash/version.rb

@@ -0,0 +1,14 @@
+# encoding: utf-8
+
+# The version of the logstash package (not the logstash-core gem version).
+#
+# Note to authors: this should not include dashes because 'gem' barfs if
+# you include a dash in the version string.
+
+# TODO: (colin) the logstash-core gem uses it's own version number in logstash-core/lib/logstash-core/version.rb
+#       there are some dependencies in logstash-core on the LOGSTASH_VERSION constant this is why
+#       the logstash version is currently defined here in logstash-core/lib/logstash/version.rb but
+#       eventually this file should be in the root logstash lib fir and dependencies in logstash-core should be
+#       fixed.
+
+LOGSTASH_VERSION = "2.2.4.snapshot1"

data/locales/en.yml

@@ -0,0 +1,204 @@
+# YAML notes
+#   |- means 'scalar block' useful for formatted text
+#   > means 'scalar block' but it chomps all newlines. Useful 
+#     for unformatted text.
+en:
+  oops: |-
+    An unexpected error occurred!
+  logstash:
+    environment:
+      jruby-required:  >-
+        JRuby is required
+      missing-jars: >-
+        Could not find jar files under %{pattern}
+    pipeline:
+      worker-error: |-
+        A plugin had an unrecoverable error. Will restart this plugin.
+          Plugin: %{plugin}
+          Error: %{error}
+      worker-error-debug: |-
+        A plugin had an unrecoverable error. Will restart this plugin.
+          Plugin: %{plugin}
+          Error: %{error}
+          Exception: %{exception}
+          Stack: %{stacktrace}
+      plugin-loading-error: >-
+        Couldn't find any %{type} plugin named '%{name}'. Are you
+        sure this is correct? Trying to load the %{name} %{type} plugin
+        resulted in this error: %{error}
+      plugin-type-loading-error: >-
+        Could not find any plugin type named '%{type}'. Check for typos.
+        Valid plugin types are 'input' 'filter' and 'output'
+      output-worker-unsupported: >-
+        %{plugin} output plugin: setting 'workers => %{worker_count}' is not
+        supported by this plugin. I will continue working as if you had not set
+        this setting.
+      output-worker-unsupported-with-message: >-
+        %{plugin} output plugin: setting 'workers => %{worker_count}' is not
+        supported by this plugin. I will continue working as if you had not set
+        this setting. Reason: %{message}
+    plugin:
+      deprecated_milestone: >-
+        %{plugin} plugin is using the 'milestone' method to declare the version
+        of the plugin this method is deprecated in favor of declaring the
+        version inside the gemspec.
+      no_version: >-
+        %{name} plugin doesn't have a version. This plugin isn't well
+         supported by the community and likely has no maintainer.
+      version:
+        0-9-x:
+         Using version 0.9.x %{type} plugin '%{name}'. This plugin should work but
+         would benefit from use by folks like you. Please let us know if you
+         find bugs or have suggestions on how to improve this plugin.
+        0-1-x: >-
+         Using version 0.1.x %{type} plugin '%{name}'. This plugin isn't well
+         supported by the community and likely has no maintainer.
+    agent:
+      sighup: >-
+        SIGHUP received.
+      missing-configuration: >-
+        No configuration file was specified. Perhaps you forgot to provide
+        the '-f yourlogstash.conf' flag?
+      error: >-
+        Error: %{error}
+      sigint: >-
+        SIGINT received. Shutting down the pipeline.
+      sigterm: >-
+        SIGTERM received. Shutting down the pipeline.
+      slow_shutdown: |-
+        Received shutdown signal, but pipeline is still waiting for in-flight events
+        to be processed. Sending another ^C will force quit Logstash, but this may cause
+        data loss.
+      forced_sigint: >-
+        SIGINT received. Terminating immediately..
+      configtest-flag-information: |-
+        You may be interested in the '--configtest' flag which you can
+        use to validate logstash's configuration before you choose
+        to restart a running system.
+      configuration:
+        obsolete: >-
+          The setting `%{name}` in plugin `%{plugin}` is obsolete and is no
+          longer available. %{extra} If you have any questions about this, you
+          are invited to visit https://discuss.elastic.co/c/logstash and ask.
+        file-not-found: |-
+          No config files found: %{path}
+          Can you make sure this path is a logstash config file?
+        scheme-not-supported: |-
+          URI scheme not supported: %{path}
+          Either pass a local file path or "file|http://" URI
+        fetch-failed: |-
+          Unable to fetch config from: %{path}
+          Reason: %{message}
+        setting_missing: |-
+          Missing a required setting for the %{plugin} %{type} plugin:
+
+            %{type} {
+              %{plugin} {
+                %{setting} => # SETTING MISSING
+                ...
+              }
+            }
+        setting_invalid: |-
+          Invalid setting for %{plugin} %{type} plugin:
+
+            %{type} {
+              %{plugin} {
+                # This setting must be a %{value_type}
+                # %{note}
+                %{setting} => %{value}
+                ...
+              }
+            }
+        invalid_plugin_settings: >-
+          Something is wrong with your configuration.
+        invalid_plugin_settings_duplicate_keys: |-
+          Duplicate keys found in your configuration: [%{keys}]
+          At line: %{line}, column %{column} (byte %{byte})
+          after %{after}
+        invalid_plugin_register: >-
+          Cannot register %{plugin} %{type} plugin.
+          The error reported is: 
+            %{error}
+        plugin_path_missing: >-
+          You specified a plugin path that does not exist: %{path}
+        no_plugins_found: |-
+          Could not find any plugins in "%{path}"
+          I tried to find files matching the following, but found none: 
+            %{plugin_glob}
+        log_file_failed: |-
+          Failed to open %{path} for writing: %{error}
+
+          This is often a permissions issue, or the wrong 
+          path was specified?
+      flag:
+        # Note: Wrap these at 55 chars so they display nicely when clamp emits
+        # them in an 80-character terminal
+        config: |+
+          Load the logstash config from a specific file
+          or directory.  If a directory is given, all
+          files in that directory will be concatenated
+          in lexicographical order and then parsed as a
+          single config file. You can also specify
+          wildcards (globs) and any matched files will
+          be loaded in the order described above.
+        config-string: |+
+          Use the given string as the configuration
+          data. Same syntax as the config file. If no
+          input is specified, then the following is
+          used as the default input:
+          "%{default_input}"
+          and if no output is specified, then the
+          following is used as the default output:
+          "%{default_output}"
+          If you wish to use both defaults, please use
+          the empty string for the '-e' flag.
+        configtest: |+
+          Check configuration for valid syntax and then exit.
+        pipeline-workers: |+
+          Sets the number of pipeline workers to run.
+        filterworkers: |+
+          DEPRECATED. Now an alias for --pipeline-workers and -w
+        pipeline-batch-size: |+
+          Size of batches the pipeline is to work in.
+        pipeline-batch-delay: |+
+          When creating pipeline batches, how long to wait while polling
+          for the next event.
+        log: |+
+          Write logstash internal logs to the given
+          file. Without this flag, logstash will emit
+          logs to standard output.
+        verbosity: |+
+          Increase verbosity of logstash internal logs.
+          Specifying once will show 'informational'
+          logs. Specifying twice will show 'debug'
+          logs. This flag is deprecated. You should use
+          --verbose or --debug instead.
+        version: |+
+          Emit the version of logstash and its friends,
+          then exit.
+        pluginpath: |+
+          A path of where to find plugins. This flag
+          can be given multiple times to include
+          multiple paths. Plugins are expected to be
+          in a specific directory hierarchy:
+          'PATH/logstash/TYPE/NAME.rb' where TYPE is
+          'inputs' 'filters', 'outputs' or 'codecs'
+          and NAME is the name of the plugin.
+        quiet: |+
+          Quieter logstash logging. This causes only 
+          errors to be emitted.
+        verbose: |+
+          More verbose logging. This causes 'info' 
+          level logs to be emitted.
+        debug: |+
+          Most verbose logging. This causes 'debug'
+          level logs to be emitted.
+        debug-config: |+
+          Print the compiled config ruby code out as a debug log (you must also have --debug enabled).
+          WARNING: This will include any 'password' options passed to plugin configs as plaintext, and may result
+          in plaintext passwords appearing in your logs!  
+        unsafe_shutdown: |+
+          Force logstash to exit during shutdown even
+          if there are still inflight events in memory.
+          By default, logstash will refuse to quit until all
+          received events have been pushed to the outputs.

data/logstash-core.gemspec

@@ -0,0 +1,58 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'logstash-core/version'
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Elastic"]
+  gem.email         = ["info@elastic.co"]
+  gem.description   = %q{The core components of logstash, the scalable log and event management tool}
+  gem.summary       = %q{logstash-core - The core components of logstash}
+  gem.homepage      = "http://www.elastic.co/guide/en/logstash/current/index.html"
+  gem.license       = "Apache License (2.0)"
+
+  gem.files         = Dir.glob(["logstash-core.gemspec", "lib/**/*.rb", "spec/**/*.rb", "locales/*"])
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "logstash-core"
+  gem.require_paths = ["lib"]
+  gem.version       = LOGSTASH_CORE_VERSION
+
+  gem.add_runtime_dependency "logstash-core-event", "~> 2.2.4.snapshot1"
+
+  gem.add_runtime_dependency "cabin", "~> 0.7.0" #(Apache 2.0 license)
+  gem.add_runtime_dependency "pry", "~> 0.10.1"  #(Ruby license)
+  gem.add_runtime_dependency "stud", "~> 0.0.19" #(Apache 2.0 license)
+  gem.add_runtime_dependency "clamp", "~> 0.6.5" #(MIT license) for command line args/flags
+  gem.add_runtime_dependency "filesize", "0.0.4" #(MIT license) for :bytes config validator
+  gem.add_runtime_dependency "gems", "~> 0.8.3"  #(MIT license)
+  gem.add_runtime_dependency "concurrent-ruby", "0.9.2"
+  gem.add_runtime_dependency "jruby-openssl", "0.9.13" # Required to support TLSv1.2
+
+  # TODO(sissel): Treetop 1.5.x doesn't seem to work well, but I haven't
+  # investigated what the cause might be. -Jordan
+  gem.add_runtime_dependency "treetop", "< 1.5.0" #(MIT license)
+
+  # upgrade i18n only post 0.6.11, see https://github.com/svenfuchs/i18n/issues/270
+  gem.add_runtime_dependency "i18n", "= 0.6.9" #(MIT license)
+
+  # filetools and rakelib
+  gem.add_runtime_dependency "minitar", "~> 0.5.4"
+  gem.add_runtime_dependency "rubyzip", "~> 1.1.7"
+  gem.add_runtime_dependency "thread_safe", "~> 0.3.5" #(Apache 2.0 license)
+
+  if RUBY_PLATFORM == 'java'
+    gem.platform = RUBY_PLATFORM
+    gem.add_runtime_dependency "jrjackson", "~> 0.3.7" #(Apache 2.0 license)
+  else
+    gem.add_runtime_dependency "oj" #(MIT-style license)
+  end
+
+  if RUBY_ENGINE == "rbx"
+    # rubinius puts the ruby stdlib into gems.
+    gem.add_runtime_dependency "rubysl"
+
+    # Include racc to make the xml tests pass.
+    # https://github.com/rubinius/rubinius/issues/2632#issuecomment-26954565
+    gem.add_runtime_dependency "racc"
+  end
+end

data/spec/conditionals_spec.rb

@@ -0,0 +1,429 @@
+# encoding: utf-8
+require 'spec_helper'
+
+module ConditionalFanciness
+  def description
+    return self.metadata[:description]
+  end
+
+  def conditional(expression, &block)
+    describe(expression) do
+      config <<-CONFIG
+        filter {
+          if #{expression} {
+            mutate { add_tag => "success" }
+          } else {
+            mutate { add_tag => "failure" }
+          }
+        }
+      CONFIG
+      instance_eval(&block)
+    end
+  end
+end
+
+describe "conditionals in output" do
+  extend ConditionalFanciness
+
+  describe "simple" do
+    config <<-CONFIG
+      input {
+        generator {
+          message => '{"foo":{"bar"},"baz": "quux"}'
+          count => 1
+        }
+      }
+      output {
+        if [foo] == "bar" {
+          stdout { }
+        }
+      }
+    CONFIG
+
+    agent do
+      #LOGSTASH-2288, should not fail raising an exception
+    end
+  end
+end
+
+describe "conditionals in filter" do
+  extend ConditionalFanciness
+
+  describe "simple" do
+    config <<-CONFIG
+      filter {
+        mutate { add_field => { "always" => "awesome" } }
+        if [foo] == "bar" {
+          mutate { add_field => { "hello" => "world" } }
+        } else if [bar] == "baz" {
+          mutate { add_field => { "fancy" => "pants" } }
+        } else {
+          mutate { add_field => { "free" => "hugs" } }
+        }
+      }
+    CONFIG
+
+    sample({"foo" => "bar"}) do
+      expect(subject["always"]).to eq("awesome")
+      expect(subject["hello"]).to eq("world")
+      expect(subject["fancy"]).to be_nil
+      expect(subject["free"]).to be_nil
+    end
+
+    sample({"notfoo" => "bar"}) do
+      expect(subject["always"]).to eq("awesome")
+      expect(subject["hello"]).to be_nil
+      expect(subject["fancy"]).to be_nil
+      expect(subject["free"]).to eq("hugs")
+    end
+
+    sample({"bar" => "baz"}) do
+      expect(subject["always"]).to eq("awesome")
+      expect(subject["hello"]).to be_nil
+      expect(subject["fancy"]).to eq("pants")
+      expect(subject["free"]).to be_nil
+    end
+  end
+
+  describe "nested" do
+    config <<-CONFIG
+      filter {
+        if [nest] == 123 {
+          mutate { add_field => { "always" => "awesome" } }
+          if [foo] == "bar" {
+            mutate { add_field => { "hello" => "world" } }
+          } else if [bar] == "baz" {
+            mutate { add_field => { "fancy" => "pants" } }
+          } else {
+            mutate { add_field => { "free" => "hugs" } }
+          }
+        }
+      }
+    CONFIG
+
+    sample("foo" => "bar", "nest" => 124) do
+      expect(subject["always"]).to be_nil
+      expect(subject["hello"]).to be_nil
+      expect(subject["fancy"]).to be_nil
+      expect(subject["free"]).to be_nil
+    end
+
+    sample("foo" => "bar", "nest" => 123) do
+      expect(subject["always"]).to eq("awesome")
+      expect(subject["hello"]).to eq("world")
+      expect(subject["fancy"]).to be_nil
+      expect(subject["free"]).to be_nil
+    end
+
+    sample("notfoo" => "bar", "nest" => 123) do
+      expect(subject["always"]).to eq("awesome")
+      expect(subject["hello"]).to be_nil
+      expect(subject["fancy"]).to be_nil
+      expect(subject["free"]).to eq("hugs")
+    end
+
+    sample("bar" => "baz", "nest" => 123) do
+      expect(subject["always"]).to eq("awesome")
+      expect(subject["hello"]).to be_nil
+      expect(subject["fancy"]).to eq("pants")
+      expect(subject["free"]).to be_nil
+    end
+  end
+
+  describe "comparing two fields" do
+    config <<-CONFIG
+      filter {
+        if [foo] == [bar] {
+          mutate { add_tag => woot }
+        }
+      }
+    CONFIG
+
+    sample("foo" => 123, "bar" => 123) do
+      expect(subject["tags"] ).to include("woot")
+    end
+  end
+
+  describe "the 'in' operator" do
+    config <<-CONFIG
+      filter {
+        if [foo] in [foobar] {
+          mutate { add_tag => "field in field" }
+        }
+        if [foo] in "foo" {
+          mutate { add_tag => "field in string" }
+        }
+        if "hello" in [greeting] {
+          mutate { add_tag => "string in field" }
+        }
+        if [foo] in ["hello", "world", "foo"] {
+          mutate { add_tag => "field in list" }
+        }
+        if [missing] in [alsomissing] {
+          mutate { add_tag => "shouldnotexist" }
+        }
+        if !("foo" in ["hello", "world"]) {
+          mutate { add_tag => "shouldexist" }
+        }
+      }
+    CONFIG
+
+    sample("foo" => "foo", "foobar" => "foobar", "greeting" => "hello world") do
+      expect(subject["tags"]).to include("field in field")
+      expect(subject["tags"]).to include("field in string")
+      expect(subject["tags"]).to include("string in field")
+      expect(subject["tags"]).to include("field in list")
+      expect(subject["tags"]).not_to include("shouldnotexist")
+      expect(subject["tags"]).to include("shouldexist")
+    end
+  end
+
+  describe "the 'not in' operator" do
+    config <<-CONFIG
+      filter {
+        if "foo" not in "baz" { mutate { add_tag => "baz" } }
+        if "foo" not in "foo" { mutate { add_tag => "foo" } }
+        if !("foo" not in "foo") { mutate { add_tag => "notfoo" } }
+        if "foo" not in [somelist] { mutate { add_tag => "notsomelist" } }
+        if "one" not in [somelist] { mutate { add_tag => "somelist" } }
+        if "foo" not in [alsomissing] { mutate { add_tag => "no string in missing field" } }
+      }
+    CONFIG
+
+    sample("foo" => "foo", "somelist" => [ "one", "two" ], "foobar" => "foobar", "greeting" => "hello world", "tags" => [ "fancypantsy" ]) do
+      # verify the original exists
+      expect(subject["tags"]).to include("fancypantsy")
+
+      expect(subject["tags"]).to include("baz")
+      expect(subject["tags"]).not_to include("foo")
+      expect(subject["tags"]).to include("notfoo")
+      expect(subject["tags"]).to include("notsomelist")
+      expect(subject["tags"]).not_to include("somelist")
+      expect(subject["tags"]).to include("no string in missing field")
+    end
+  end
+
+  describe "operators" do
+    conditional "[message] == 'sample'" do
+      sample("sample") { expect(subject["tags"] ).to include("success") }
+      sample("different") { expect(subject["tags"] ).to include("failure") }
+    end
+
+    conditional "[message] != 'sample'" do
+      sample("sample") { expect(subject["tags"] ).to include("failure") }
+      sample("different") { expect(subject["tags"] ).to include("success") }
+    end
+
+    conditional "[message] < 'sample'" do
+      sample("apple") { expect(subject["tags"] ).to include("success") }
+      sample("zebra") { expect(subject["tags"] ).to include("failure") }
+    end
+
+    conditional "[message] > 'sample'" do
+      sample("zebra") { expect(subject["tags"] ).to include("success") }
+      sample("apple") { expect(subject["tags"] ).to include("failure") }
+    end
+
+    conditional "[message] <= 'sample'" do
+      sample("apple") { expect(subject["tags"] ).to include("success") }
+      sample("zebra") { expect(subject["tags"] ).to include("failure") }
+      sample("sample") { expect(subject["tags"] ).to include("success") }
+    end
+
+    conditional "[message] >= 'sample'" do
+      sample("zebra") { expect(subject["tags"] ).to include("success") }
+      sample("sample") { expect(subject["tags"] ).to include("success") }
+      sample("apple") { expect(subject["tags"] ).to include("failure") }
+    end
+
+    conditional "[message] =~ /sample/" do
+      sample("apple") { expect(subject["tags"] ).to include("failure") }
+      sample("sample") { expect(subject["tags"] ).to include("success") }
+      sample("some sample") { expect(subject["tags"] ).to include("success") }
+    end
+
+    conditional "[message] !~ /sample/" do
+      sample("apple") { expect(subject["tags"]).to include("success") }
+      sample("sample") { expect(subject["tags"]).to include("failure") }
+      sample("some sample") { expect(subject["tags"]).to include("failure") }
+    end
+
+  end
+
+  describe "negated expressions" do
+    conditional "!([message] == 'sample')" do
+      sample("sample") { expect(subject["tags"]).not_to include("success") }
+      sample("different") { expect(subject["tags"]).not_to include("failure") }
+    end
+
+    conditional "!([message] != 'sample')" do
+      sample("sample") { expect(subject["tags"]).not_to include("failure") }
+      sample("different") { expect(subject["tags"]).not_to include("success") }
+    end
+
+    conditional "!([message] < 'sample')" do
+      sample("apple") { expect(subject["tags"]).not_to include("success") }
+      sample("zebra") { expect(subject["tags"]).not_to include("failure") }
+    end
+
+    conditional "!([message] > 'sample')" do
+      sample("zebra") { expect(subject["tags"]).not_to include("success") }
+      sample("apple") { expect(subject["tags"]).not_to include("failure") }
+    end
+
+    conditional "!([message] <= 'sample')" do
+      sample("apple") { expect(subject["tags"]).not_to include("success") }
+      sample("zebra") { expect(subject["tags"]).not_to include("failure") }
+      sample("sample") { expect(subject["tags"]).not_to include("success") }
+    end
+
+    conditional "!([message] >= 'sample')" do
+      sample("zebra") { expect(subject["tags"]).not_to include("success") }
+      sample("sample") { expect(subject["tags"]).not_to include("success") }
+      sample("apple") { expect(subject["tags"]).not_to include("failure") }
+    end
+
+    conditional "!([message] =~ /sample/)" do
+      sample("apple") { expect(subject["tags"]).not_to include("failure") }
+      sample("sample") { expect(subject["tags"]).not_to include("success") }
+      sample("some sample") { expect(subject["tags"]).not_to include("success") }
+    end
+
+    conditional "!([message] !~ /sample/)" do
+      sample("apple") { expect(subject["tags"]).not_to include("success") }
+      sample("sample") { expect(subject["tags"]).not_to include("failure") }
+      sample("some sample") { expect(subject["tags"]).not_to include("failure") }
+    end
+
+  end
+
+  describe "value as an expression" do
+    # testing that a field has a value should be true.
+    conditional "[message]" do
+      sample("apple") { expect(subject["tags"]).to include("success") }
+      sample("sample") { expect(subject["tags"]).to include("success") }
+      sample("some sample") { expect(subject["tags"]).to include("success") }
+    end
+
+    # testing that a missing field has a value should be false.
+    conditional "[missing]" do
+      sample("apple") { expect(subject["tags"]).to include("failure") }
+      sample("sample") { expect(subject["tags"]).to include("failure") }
+      sample("some sample") { expect(subject["tags"]).to include("failure") }
+    end
+  end
+
+  describe "logic operators" do
+    describe "and" do
+      conditional "[message] and [message]" do
+        sample("whatever") { expect(subject["tags"]).to include("success") }
+      end
+      conditional "[message] and ![message]" do
+        sample("whatever") { expect(subject["tags"]).to include("failure") }
+      end
+      conditional "![message] and [message]" do
+        sample("whatever") { expect(subject["tags"]).to include("failure") }
+      end
+      conditional "![message] and ![message]" do
+        sample("whatever") { expect(subject["tags"]).to include("failure") }
+      end
+    end
+
+    describe "or" do
+      conditional "[message] or [message]" do
+        sample("whatever") { expect(subject["tags"]).to include("success") }
+      end
+      conditional "[message] or ![message]" do
+        sample("whatever") { expect(subject["tags"]).to include("success") }
+      end
+      conditional "![message] or [message]" do
+        sample("whatever") { expect(subject["tags"]).to include("success") }
+      end
+      conditional "![message] or ![message]" do
+        sample("whatever") { expect(subject["tags"]).to include("failure") }
+      end
+    end
+  end
+
+  describe "field references" do
+    conditional "[field with space]" do
+      sample("field with space" => "hurray") do
+        expect(subject["tags"]).to include("success")
+      end
+    end
+
+    conditional "[field with space] == 'hurray'" do
+      sample("field with space" => "hurray") do
+        expect(subject["tags"]).to include("success")
+      end
+    end
+
+    conditional "[nested field][reference with][some spaces] == 'hurray'" do
+      sample({"nested field" => { "reference with" => { "some spaces" => "hurray" } } }) do
+        expect(subject["tags"]).to include("success")
+      end
+    end
+  end
+
+  describe "new events from root" do
+    config <<-CONFIG
+      filter {
+        if [type] == "original" {
+          clone {
+            clones => ["clone"]
+          }
+        }
+        if [type] == "original" {
+          mutate { add_field => { "cond1" => "true" } }
+        } else {
+          mutate { add_field => { "cond2" => "true" } }
+        }
+      }
+    CONFIG
+
+    sample({"type" => "original"}) do
+      expect(subject).to be_an(Array)
+      expect(subject.length).to eq(2)
+
+      expect(subject[0]["type"]).to eq("original")
+      expect(subject[0]["cond1"]).to eq("true")
+      expect(subject[0]["cond2"]).to eq(nil)
+
+      expect(subject[1]["type"]).to eq("clone")
+      # expect(subject[1]["cond1"]).to eq(nil)
+      # expect(subject[1]["cond2"]).to eq("true")
+    end
+  end
+
+  describe "multiple new events from root" do
+    config <<-CONFIG
+      filter {
+        if [type] == "original" {
+          clone {
+            clones => ["clone1", "clone2"]
+          }
+        }
+        if [type] == "clone1" {
+          mutate { add_field => { "cond1" => "true" } }
+        } else if [type] == "clone2" {
+          mutate { add_field => { "cond2" => "true" } }
+        }
+      }
+    CONFIG
+
+    sample({"type" => "original"}) do
+      # puts subject.inspect
+      expect(subject[0]["cond1"]).to eq(nil)
+      expect(subject[0]["cond2"]).to eq(nil)
+
+      expect(subject[1]["type"]).to eq("clone1")
+      expect(subject[1]["cond1"]).to eq("true")
+      expect(subject[1]["cond2"]).to eq(nil)
+
+      expect(subject[2]["type"]).to eq("clone2")
+      expect(subject[2]["cond1"]).to eq(nil)
+      expect(subject[2]["cond2"]).to eq("true")
+    end
+  end
+
+end