logstash-core 1.5.0.rc3.snapshot6-java → 1.5.0.rc4-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d21bfcb9c16d7eb882467cb166af49b057bd93e7
-  data.tar.gz: 21142f47abb49cee9ee5099178e6eb5465626f46
+  metadata.gz: 3c6ce351055ad0f687e8fed56a9fa24a26818fa0
+  data.tar.gz: fa8e220cc441f294d482435d82ef8c6bb0a26b27
 SHA512:
-  metadata.gz: b42403a2e734e88967b1c4a52e1e99382f7127d6dd9252f7511c8c140ee4fa35ab4e8c729f783293d28f48d05741a1dfe5b2d9d5c22a241f2da839c4ffd089b0
-  data.tar.gz: ba465e71d00caf71d7c21d76b2eb6c9f205e7f2fa8383460c73a662334f999850016dd12f0265eed0de156430a434389e05076322aa79a9872a265dd995d8d93
+  metadata.gz: 67733788cb889660c8e6d5f29f7eb98bf2b212972b3e4ae08a02add631a7b0544aceeef4d03b1c09cf5ad83e298d29ba53d2fad9ead467e09335b274dcc20f12
+  data.tar.gz: 91c9d0ab6e5fabd7aa93b6880c9a5cafd3125caa9b6d62b4419c1e93bd7392c90cb834f73c4bd69d85986fbb8c1a98a745cec5e9312f6df1f046eb9ae21cd0c5

data/lib/logstash-core.rb

@@ -0,0 +1,2 @@
+module LogStash
+end

data/lib/logstash/agent.rb

@@ -39,11 +39,6 @@ class LogStash::Agent < Clamp::Command
   option ["-V", "--version"], :flag,
     I18n.t("logstash.agent.flag.version")
 
-  option ["-p", "--pluginpath"] , "PATH",
-    I18n.t("logstash.agent.flag.pluginpath"),
-    :multivalued => true,
-    :attribute_name => :plugin_paths
-
   option ["-t", "--configtest"], :flag,
     I18n.t("logstash.agent.flag.configtest"),
     :attribute_name => :config_test
@@ -207,7 +202,6 @@ class LogStash::Agent < Clamp::Command
   # Log file stuff, plugin path checking, etc.
   def configure
     configure_logging(log_file)
-    configure_plugin_path(plugin_paths) if !plugin_paths.nil?
   end # def configure
 
   # Point logging at a specific path.
@@ -258,33 +252,6 @@ class LogStash::Agent < Clamp::Command
     # http://jira.codehaus.org/browse/JRUBY-7003
   end # def configure_logging
 
-  # Validate and add any paths to the list of locations
-  # logstash will look to find plugins.
-  def configure_plugin_path(paths)
-    # Append any plugin paths to the ruby search path
-    paths.each do |path|
-      # Verify the path exists
-      if !Dir.exists?(path)
-        warn(I18n.t("logstash.agent.configuration.plugin_path_missing",
-                    :path => path))
-
-      end
-
-      # TODO(sissel): Verify the path looks like the correct form.
-      # aka, there must be file in path/logstash/{inputs,codecs,filters,outputs}/*.rb
-      plugin_glob = File.join(path, "logstash", "{inputs,codecs,filters,outputs}", "*.rb")
-      if Dir.glob(plugin_glob).empty?
-        @logger.warn(I18n.t("logstash.agent.configuration.no_plugins_found",
-                    :path => path, :plugin_glob => plugin_glob))
-      end
-
-      # We push plugin paths to the front of the LOAD_PATH so that folks
-      # can override any core logstash plugins if they need to.
-      @logger.debug("Adding plugin path", :path => path)
-      $LOAD_PATH.unshift(path)
-    end
-  end # def configure_plugin_path
-
   def load_config(path)
     begin
       uri = URI.parse(path)

data/lib/logstash/config/config_ast.rb

@@ -230,7 +230,7 @@ module LogStash; module Config; module AST
         return "start_input(#{variable_name})"
       when "filter"
         return <<-CODE
-          #{variable_name}.filter(event) {|new_event| events << new_event }
+          events = #{variable_name}.multi_filter(events)
         CODE
       when "output"
         return "#{variable_name}.handle(event)\n"

data/lib/logstash/environment.rb

@@ -5,19 +5,16 @@ module LogStash
   module Environment
     extend self
 
-    LOGSTASH_HOME = ::File.expand_path(::File.join(::File.dirname(__FILE__), "..", ".."))
-    BUNDLE_DIR = ::File.join(LOGSTASH_HOME, "vendor", "bundle")
-    GEMFILE_PATH = ::File.join(LOGSTASH_HOME, "Gemfile")
-    BUNDLE_CONFIG_PATH = ::File.join(LOGSTASH_HOME, ".bundle", "config")
-    BOOTSTRAP_GEM_PATH = ::File.join(LOGSTASH_HOME, 'build', 'bootstrap')
-    LOCAL_GEM_PATH = ::File.join(LOGSTASH_HOME, 'vendor', 'local_gems')
+    # rehydrate the bootstrap environment if the startup was not done by executing bootstrap.rb
+    # and we are in the context of the logstash package
+    if !LogStash::Environment.const_defined?("LOGSTASH_HOME") &&  !ENV["LOGSTASH_HOME"].to_s.empty?
+      $LOAD_PATH << ::File.join(ENV["LOGSTASH_HOME"], "lib")
+      require "bootstrap/environment"
+    end
 
+    LOGSTASH_CORE = ::File.expand_path(::File.join(::File.dirname(__FILE__), "..", ".."))
     LOGSTASH_ENV = (ENV["LS_ENV"] || 'production').to_s.freeze
 
-    def logstash_gem_home
-      ::File.join(BUNDLE_DIR, ruby_engine, gem_ruby_version)
-    end
-
     def env
       LOGSTASH_ENV
     end
@@ -75,21 +72,6 @@ module LogStash
       ENV["USE_RUBY"] == "1" ? "ruby" : File.join("vendor", "jruby", "bin", "jruby")
     end
 
-    # @return [String] major.minor ruby version, ex 1.9
-    def ruby_abi_version
-      RUBY_VERSION[/(\d+\.\d+)(\.\d+)*/, 1]
-    end
-
-    # @return [String] the ruby version string bundler uses to craft its gem path
-    def gem_ruby_version
-      RbConfig::CONFIG["ruby_version"]
-    end
-
-    # @return [String] jruby, ruby, rbx, ...
-    def ruby_engine
-      RUBY_ENGINE
-    end
-
     def jruby?
       @jruby ||= !!(RUBY_PLATFORM == "java")
     end
@@ -102,16 +84,12 @@ module LogStash
       return ::File.join(LOGSTASH_HOME, "vendor", path)
     end
 
-    def plugin_path(path)
-      return ::File.join(LOGSTASH_HOME, "lib", "logstash", path)
-    end
-
     def pattern_path(path)
       return ::File.join(LOGSTASH_HOME, "patterns", path)
     end
 
     def locales_path(path)
-      return ::File.join(LOGSTASH_HOME, "locales", path)
+      return ::File.join(LOGSTASH_CORE, "locales", path)
     end
 
     def load_locale!

data/lib/logstash/filters/base.rb

@@ -146,6 +146,25 @@ class LogStash::Filters::Base < LogStash::Plugin
     raise "#{self.class}#filter must be overidden"
   end # def filter
 
+  # in 1.5.0 multi_filter is meant to be used in the generated filter function in LogStash::Config::AST::Plugin only
+  # and is temporary until we refactor the filter method interface to accept events list and return events list,
+  # just list in multi_filter see https://github.com/elastic/logstash/issues/2872.
+  # refactoring the filter method will mean updating all plugins which we want to avoid doing for 1.5.0.
+  #
+  # @param events [Array<LogStash::Event] list of events to filter
+  # @return [Array<LogStash::Event] filtered events and any new events generated by the filter
+  public
+  def multi_filter(events)
+    result = []
+    events.each do |event|
+      unless event.cancelled?
+        result << event
+        filter(event){|new_event| result << new_event}
+      end
+    end
+    result
+  end
+
   public
   def execute(event, &block)
     filter(event, &block)

data/lib/logstash/namespace.rb

@@ -1,5 +1,4 @@
 # encoding: utf-8
-#$: << File.join(File.dirname(__FILE__), "..", "..", "vendor", "bundle")
 
 module LogStash
   module Inputs; end

data/lib/logstash/runner.rb

@@ -1,34 +1,16 @@
 # encoding: utf-8
 
 Thread.abort_on_exception = true
-
 Encoding.default_external = Encoding::UTF_8
-$START = Time.now
 $DEBUGLIST = (ENV["DEBUG"] || "").split(",")
 
-require "logstash/bundler"
-LogStash::Bundler.setup!
-
 require "logstash/environment"
+
 LogStash::Environment.load_locale!
 
 require "logstash/namespace"
 require "logstash/program"
 
-class LogStash::RSpecsRunner
-  def initialize(args)
-    @args = args
-  end
-
-  def run
-    @result = RSpec::Core::Runner.run(@args)
-  end
-
-  def wait
-    return @result
-  end
-end
-
 class LogStash::Runner
   include LogStash::Program
 
@@ -39,7 +21,6 @@ class LogStash::Runner
     @startup_interruption_trap = Stud::trap("INT") { puts "Interrupted"; exit 0 }
 
     LogStash::Util::set_thread_name(self.class.name)
-    #$LOAD_PATH << File.join(File.dirname(__FILE__), "..")
 
     if RUBY_VERSION < "1.9.2"
       $stderr.puts "Ruby 1.9.2 or later is required. (You are running: " + RUBY_VERSION + ")"
@@ -63,15 +44,6 @@ class LogStash::Runner
         end
         return LogStash::Agent.run($0, agent_args)
       end,
-      "rspec" => lambda do
-        require "rspec/core/runner"
-        require "rspec"
-        spec_path = File.expand_path(File.join(File.dirname(__FILE__), "/../../spec"))
-        $LOAD_PATH << spec_path
-        all_specs = Dir.glob(File.join(spec_path, "/**/*_spec.rb"))
-        rspec = LogStash::RSpecsRunner.new(args.empty? ? all_specs : args)
-        return rspec.run
-      end,
       "irb" => lambda do
         require "irb"
         return IRB.start(__FILE__)
@@ -96,21 +68,10 @@ class LogStash::Runner
         end
         return 0
       end,
-      "plugin" => lambda do
-        require 'logstash/pluginmanager'
-        plugin_manager = LogStash::PluginManager::Main.new($0)
-        begin
-          plugin_manager.parse(args)
-          return plugin_manager.execute
-        rescue Clamp::HelpWanted => e
-          show_help(e.command)
-          return 0
-        end
-      end,
       "agent" => lambda do
         require "logstash/agent"
         # Hack up a runner
-        agent = LogStash::Agent.new($0)
+        agent = LogStash::Agent.new("/bin/logstash agent", $0)
         begin
           agent.parse(args)
         rescue Clamp::HelpWanted => e
@@ -146,24 +107,15 @@ For example: logstash agent --help
 Available commands:
   agent - runs the logstash agent
   version - emits version info about this logstash
-  rspec - runs tests
-      ]
+]
       #$stderr.puts commands.keys.map { |s| "  #{s}" }.join("\n")
       return Stud::Task.new { 1 }
     end
   end # def run
 
-  # @return true if this file is the main file being run and not via rspec
-  def self.autorun?
-    # caller is the current execution stack
-    $0 == __FILE__ && caller.none?{|entry| entry =~ /rspec/}
-  end
-
   private
 
   def show_help(command)
     puts command.help
   end
 end # class LogStash::Runner
-
-LogStash::Runner.new.main(ARGV) if LogStash::Runner.autorun?

data/lib/logstash/version.rb

@@ -1,6 +1,6 @@
 # encoding: utf-8
 # The version of logstash.
-LOGSTASH_VERSION = "1.5.0-rc3.snapshot6"
+LOGSTASH_VERSION = "1.5.0.rc4"
 
 # Note to authors: this should not include dashes because 'gem' barfs if
 # you include a dash in the version string.

data/logstash-core.gemspec

@@ -0,0 +1,54 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'logstash/version'
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Jordan Sissel", "Pete Fritchman", "Elasticsearch"]
+  gem.email         = ["jls@semicomplete.com", "petef@databits.net", "info@elasticsearch.com"]
+  gem.description   = %q{The core components of logstash, the scalable log and event management tool}
+  gem.summary       = %q{logstash-core - The core components of logstash}
+  gem.homepage      = "http://www.elastic.co/guide/en/logstash/current/index.html"
+  gem.license       = "Apache License (2.0)"
+
+  gem.files         = Dir.glob(["logstash-core.gemspec", "lib/logstash-core.rb", "lib/logstash/**/*.rb", "spec/**/*.rb", "locales/*"])
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "logstash-core"
+  gem.require_paths = ["lib"]
+  gem.version       = LOGSTASH_VERSION.gsub(/-/, '.')
+
+  gem.add_runtime_dependency "cabin", "~> 0.7.0" #(Apache 2.0 license)
+  gem.add_runtime_dependency "pry", "~> 0.10.1" #(Ruby license)
+  gem.add_runtime_dependency "stud", "~> 0.0.19" #(Apache 2.0 license)
+  gem.add_runtime_dependency "clamp", "~> 0.6.5" #(MIT license) for command line args/flags
+  gem.add_runtime_dependency "filesize", "0.0.4" #(MIT license) for :bytes config validator
+
+  # TODO(sissel): Treetop 1.5.x doesn't seem to work well, but I haven't
+  # investigated what the cause might be. -Jordan
+  gem.add_runtime_dependency "treetop", "< 1.5.0" #(MIT license)
+
+  # upgrade i18n only post 0.6.11, see https://github.com/svenfuchs/i18n/issues/270
+  gem.add_runtime_dependency "i18n", "= 0.6.9" #(MIT license)
+
+  # filetools and rakelib
+  gem.add_runtime_dependency "minitar", "~> 0.5.4"
+
+  if RUBY_PLATFORM == 'java'
+    gem.platform = RUBY_PLATFORM
+    gem.add_runtime_dependency "jrjackson", "~> 0.2.8" #(Apache 2.0 license)
+  else
+    gem.add_runtime_dependency "oj" #(MIT-style license)
+  end
+
+  if RUBY_ENGINE == "rbx"
+    # rubinius puts the ruby stdlib into gems.
+    gem.add_runtime_dependency "rubysl"
+
+    # Include racc to make the xml tests pass.
+    # https://github.com/rubinius/rubinius/issues/2632#issuecomment-26954565
+    gem.add_runtime_dependency "racc"
+  end
+
+  gem.add_development_dependency "rspec", "~> 2.14" #(MIT license)
+  gem.add_development_dependency "logstash-devutils", "~> 0"
+end

data/spec/core/conditionals_spec.rb

@@ -0,0 +1,428 @@
+require 'spec_helper'
+
+module ConditionalFanciness
+  def description
+    return example.metadata[:example_group][:description_args][0]
+  end
+
+  def conditional(expression, &block)
+    describe(expression) do
+      config <<-CONFIG
+        filter {
+          if #{expression} {
+            mutate { add_tag => "success" }
+          } else {
+            mutate { add_tag => "failure" }
+          }
+        }
+      CONFIG
+      instance_eval(&block)
+    end
+  end
+end
+
+describe "conditionals in output" do
+  extend ConditionalFanciness
+
+  describe "simple" do
+    config <<-CONFIG
+      input {
+        generator {
+          message => '{"foo":{"bar"},"baz": "quux"}'
+          count => 1
+        }
+      }
+      output {
+        if [foo] == "bar" {
+          stdout { }
+        }
+      }
+    CONFIG
+
+    agent do
+      #LOGSTASH-2288, should not fail raising an exception
+    end
+  end
+end
+
+describe "conditionals in filter" do
+  extend ConditionalFanciness
+
+  describe "simple" do
+    config <<-CONFIG
+      filter {
+        mutate { add_field => { "always" => "awesome" } }
+        if [foo] == "bar" {
+          mutate { add_field => { "hello" => "world" } }
+        } else if [bar] == "baz" {
+          mutate { add_field => { "fancy" => "pants" } }
+        } else {
+          mutate { add_field => { "free" => "hugs" } }
+        }
+      }
+    CONFIG
+
+    sample({"foo" => "bar"}) do
+      expect(subject["always"]).to eq("awesome")
+      expect(subject["hello"]).to eq("world")
+      expect(subject["fancy"]).to be_nil
+      expect(subject["free"]).to be_nil
+    end
+
+    sample({"notfoo" => "bar"}) do
+      expect(subject["always"]).to eq("awesome")
+      expect(subject["hello"]).to be_nil
+      expect(subject["fancy"]).to be_nil
+      expect(subject["free"]).to eq("hugs")
+    end
+
+    sample({"bar" => "baz"}) do
+      expect(subject["always"]).to eq("awesome")
+      expect(subject["hello"]).to be_nil
+      expect(subject["fancy"]).to eq("pants")
+      expect(subject["free"]).to be_nil
+    end
+  end
+
+  describe "nested" do
+    config <<-CONFIG
+      filter {
+        if [nest] == 123 {
+          mutate { add_field => { "always" => "awesome" } }
+          if [foo] == "bar" {
+            mutate { add_field => { "hello" => "world" } }
+          } else if [bar] == "baz" {
+            mutate { add_field => { "fancy" => "pants" } }
+          } else {
+            mutate { add_field => { "free" => "hugs" } }
+          }
+        }
+      }
+    CONFIG
+
+    sample("foo" => "bar", "nest" => 124) do
+      expect(subject["always"]).to be_nil
+      expect(subject["hello"]).to be_nil
+      expect(subject["fancy"]).to be_nil
+      expect(subject["free"]).to be_nil
+    end
+
+    sample("foo" => "bar", "nest" => 123) do
+      expect(subject["always"]).to eq("awesome")
+      expect(subject["hello"]).to eq("world")
+      expect(subject["fancy"]).to be_nil
+      expect(subject["free"]).to be_nil
+    end
+
+    sample("notfoo" => "bar", "nest" => 123) do
+      expect(subject["always"]).to eq("awesome")
+      expect(subject["hello"]).to be_nil
+      expect(subject["fancy"]).to be_nil
+      expect(subject["free"]).to eq("hugs")
+    end
+
+    sample("bar" => "baz", "nest" => 123) do
+      expect(subject["always"]).to eq("awesome")
+      expect(subject["hello"]).to be_nil
+      expect(subject["fancy"]).to eq("pants")
+      expect(subject["free"]).to be_nil
+    end
+  end
+
+  describe "comparing two fields" do
+    config <<-CONFIG
+      filter {
+        if [foo] == [bar] {
+          mutate { add_tag => woot }
+        }
+      }
+    CONFIG
+
+    sample("foo" => 123, "bar" => 123) do
+      expect(subject["tags"] ).to include("woot")
+    end
+  end
+
+  describe "the 'in' operator" do
+    config <<-CONFIG
+      filter {
+        if [foo] in [foobar] {
+          mutate { add_tag => "field in field" }
+        }
+        if [foo] in "foo" {
+          mutate { add_tag => "field in string" }
+        }
+        if "hello" in [greeting] {
+          mutate { add_tag => "string in field" }
+        }
+        if [foo] in ["hello", "world", "foo"] {
+          mutate { add_tag => "field in list" }
+        }
+        if [missing] in [alsomissing] {
+          mutate { add_tag => "shouldnotexist" }
+        }
+        if !("foo" in ["hello", "world"]) {
+          mutate { add_tag => "shouldexist" }
+        }
+      }
+    CONFIG
+
+    sample("foo" => "foo", "foobar" => "foobar", "greeting" => "hello world") do
+      expect(subject["tags"]).to include("field in field")
+      expect(subject["tags"]).to include("field in string")
+      expect(subject["tags"]).to include("string in field")
+      expect(subject["tags"]).to include("field in list")
+      expect(subject["tags"]).not_to include("shouldnotexist")
+      expect(subject["tags"]).to include("shouldexist")
+    end
+  end
+
+  describe "the 'not in' operator" do
+    config <<-CONFIG
+      filter {
+        if "foo" not in "baz" { mutate { add_tag => "baz" } }
+        if "foo" not in "foo" { mutate { add_tag => "foo" } }
+        if !("foo" not in "foo") { mutate { add_tag => "notfoo" } }
+        if "foo" not in [somelist] { mutate { add_tag => "notsomelist" } }
+        if "one" not in [somelist] { mutate { add_tag => "somelist" } }
+        if "foo" not in [alsomissing] { mutate { add_tag => "no string in missing field" } }
+      }
+    CONFIG
+
+    sample("foo" => "foo", "somelist" => [ "one", "two" ], "foobar" => "foobar", "greeting" => "hello world", "tags" => [ "fancypantsy" ]) do
+      # verify the original exists
+      expect(subject["tags"]).to include("fancypantsy")
+
+      expect(subject["tags"]).to include("baz")
+      expect(subject["tags"]).not_to include("foo")
+      expect(subject["tags"]).to include("notfoo")
+      expect(subject["tags"]).to include("notsomelist")
+      expect(subject["tags"]).not_to include("somelist")
+      expect(subject["tags"]).to include("no string in missing field")
+    end
+  end
+
+  describe "operators" do
+    conditional "[message] == 'sample'" do
+      sample("sample") { expect(subject["tags"] ).to include("success") }
+      sample("different") { expect(subject["tags"] ).to include("failure") }
+    end
+
+    conditional "[message] != 'sample'" do
+      sample("sample") { expect(subject["tags"] ).to include("failure") }
+      sample("different") { expect(subject["tags"] ).to include("success") }
+    end
+
+    conditional "[message] < 'sample'" do
+      sample("apple") { expect(subject["tags"] ).to include("success") }
+      sample("zebra") { expect(subject["tags"] ).to include("failure") }
+    end
+
+    conditional "[message] > 'sample'" do
+      sample("zebra") { expect(subject["tags"] ).to include("success") }
+      sample("apple") { expect(subject["tags"] ).to include("failure") }
+    end
+
+    conditional "[message] <= 'sample'" do
+      sample("apple") { expect(subject["tags"] ).to include("success") }
+      sample("zebra") { expect(subject["tags"] ).to include("failure") }
+      sample("sample") { expect(subject["tags"] ).to include("success") }
+    end
+
+    conditional "[message] >= 'sample'" do
+      sample("zebra") { expect(subject["tags"] ).to include("success") }
+      sample("sample") { expect(subject["tags"] ).to include("success") }
+      sample("apple") { expect(subject["tags"] ).to include("failure") }
+    end
+
+    conditional "[message] =~ /sample/" do
+      sample("apple") { expect(subject["tags"] ).to include("failure") }
+      sample("sample") { expect(subject["tags"] ).to include("success") }
+      sample("some sample") { expect(subject["tags"] ).to include("success") }
+    end
+
+    conditional "[message] !~ /sample/" do
+      sample("apple") { expect(subject["tags"]).to include("success") }
+      sample("sample") { expect(subject["tags"]).to include("failure") }
+      sample("some sample") { expect(subject["tags"]).to include("failure") }
+    end
+
+  end
+
+  describe "negated expressions" do
+    conditional "!([message] == 'sample')" do
+      sample("sample") { expect(subject["tags"]).not_to include("success") }
+      sample("different") { expect(subject["tags"]).not_to include("failure") }
+    end
+
+    conditional "!([message] != 'sample')" do
+      sample("sample") { expect(subject["tags"]).not_to include("failure") }
+      sample("different") { expect(subject["tags"]).not_to include("success") }
+    end
+
+    conditional "!([message] < 'sample')" do
+      sample("apple") { expect(subject["tags"]).not_to include("success") }
+      sample("zebra") { expect(subject["tags"]).not_to include("failure") }
+    end
+
+    conditional "!([message] > 'sample')" do
+      sample("zebra") { expect(subject["tags"]).not_to include("success") }
+      sample("apple") { expect(subject["tags"]).not_to include("failure") }
+    end
+
+    conditional "!([message] <= 'sample')" do
+      sample("apple") { expect(subject["tags"]).not_to include("success") }
+      sample("zebra") { expect(subject["tags"]).not_to include("failure") }
+      sample("sample") { expect(subject["tags"]).not_to include("success") }
+    end
+
+    conditional "!([message] >= 'sample')" do
+      sample("zebra") { expect(subject["tags"]).not_to include("success") }
+      sample("sample") { expect(subject["tags"]).not_to include("success") }
+      sample("apple") { expect(subject["tags"]).not_to include("failure") }
+    end
+
+    conditional "!([message] =~ /sample/)" do
+      sample("apple") { expect(subject["tags"]).not_to include("failure") }
+      sample("sample") { expect(subject["tags"]).not_to include("success") }
+      sample("some sample") { expect(subject["tags"]).not_to include("success") }
+    end
+
+    conditional "!([message] !~ /sample/)" do
+      sample("apple") { expect(subject["tags"]).not_to include("success") }
+      sample("sample") { expect(subject["tags"]).not_to include("failure") }
+      sample("some sample") { expect(subject["tags"]).not_to include("failure") }
+    end
+
+  end
+
+  describe "value as an expression" do
+    # testing that a field has a value should be true.
+    conditional "[message]" do
+      sample("apple") { expect(subject["tags"]).to include("success") }
+      sample("sample") { expect(subject["tags"]).to include("success") }
+      sample("some sample") { expect(subject["tags"]).to include("success") }
+    end
+
+    # testing that a missing field has a value should be false.
+    conditional "[missing]" do
+      sample("apple") { expect(subject["tags"]).to include("failure") }
+      sample("sample") { expect(subject["tags"]).to include("failure") }
+      sample("some sample") { expect(subject["tags"]).to include("failure") }
+    end
+  end
+
+  describe "logic operators" do
+    describe "and" do
+      conditional "[message] and [message]" do
+        sample("whatever") { expect(subject["tags"]).to include("success") }
+      end
+      conditional "[message] and ![message]" do
+        sample("whatever") { expect(subject["tags"]).to include("failure") }
+      end
+      conditional "![message] and [message]" do
+        sample("whatever") { expect(subject["tags"]).to include("failure") }
+      end
+      conditional "![message] and ![message]" do
+        sample("whatever") { expect(subject["tags"]).to include("failure") }
+      end
+    end
+
+    describe "or" do
+      conditional "[message] or [message]" do
+        sample("whatever") { expect(subject["tags"]).to include("success") }
+      end
+      conditional "[message] or ![message]" do
+        sample("whatever") { expect(subject["tags"]).to include("success") }
+      end
+      conditional "![message] or [message]" do
+        sample("whatever") { expect(subject["tags"]).to include("success") }
+      end
+      conditional "![message] or ![message]" do
+        sample("whatever") { expect(subject["tags"]).to include("failure") }
+      end
+    end
+  end
+
+  describe "field references" do
+    conditional "[field with space]" do
+      sample("field with space" => "hurray") do
+        expect(subject["tags"]).to include("success")
+      end
+    end
+
+    conditional "[field with space] == 'hurray'" do
+      sample("field with space" => "hurray") do
+        expect(subject["tags"]).to include("success")
+      end
+    end
+
+    conditional "[nested field][reference with][some spaces] == 'hurray'" do
+      sample({"nested field" => { "reference with" => { "some spaces" => "hurray" } } }) do
+        expect(subject["tags"]).to include("success")
+      end
+    end
+  end
+
+  describe "new events from root" do
+    config <<-CONFIG
+      filter {
+        if [type] == "original" {
+          clone {
+            clones => ["clone"]
+          }
+        }
+        if [type] == "original" {
+          mutate { add_field => { "cond1" => "true" } }
+        } else {
+          mutate { add_field => { "cond2" => "true" } }
+        }
+      }
+    CONFIG
+
+    sample({"type" => "original"}) do
+      expect(subject).to be_an(Array)
+      expect(subject.length).to eq(2)
+
+      expect(subject[0]["type"]).to eq("original")
+      expect(subject[0]["cond1"]).to eq("true")
+      expect(subject[0]["cond2"]).to eq(nil)
+
+      expect(subject[1]["type"]).to eq("clone")
+      # expect(subject[1]["cond1"]).to eq(nil)
+      # expect(subject[1]["cond2"]).to eq("true")
+    end
+  end
+
+  describe "multiple new events from root" do
+    config <<-CONFIG
+      filter {
+        if [type] == "original" {
+          clone {
+            clones => ["clone1", "clone2"]
+          }
+        }
+        if [type] == "clone1" {
+          mutate { add_field => { "cond1" => "true" } }
+        } else if [type] == "clone2" {
+          mutate { add_field => { "cond2" => "true" } }
+        }
+      }
+    CONFIG
+
+    sample({"type" => "original"}) do
+      # puts subject.inspect
+      expect(subject[0]["cond1"]).to eq(nil)
+      expect(subject[0]["cond2"]).to eq(nil)
+
+      expect(subject[1]["type"]).to eq("clone1")
+      expect(subject[1]["cond1"]).to eq("true")
+      expect(subject[1]["cond2"]).to eq(nil)
+
+      expect(subject[2]["type"]).to eq("clone2")
+      expect(subject[2]["cond1"]).to eq(nil)
+      expect(subject[2]["cond2"]).to eq("true")
+    end
+  end
+
+end