logstash-filter-aggregate 2.0.2 → 2.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 54c0279cf7984071cc3f9a16b46c6880381ce1c8
-  data.tar.gz: 4388fcf687de2dbdc244567faf9b377d1078c639
+  metadata.gz: 6500c98a915954331abf2a5e589c58497d735a4c
+  data.tar.gz: a2936e86e9e33cb497a9d86b22356d1a9c5299ac
 SHA512:
-  metadata.gz: 7c1fea00dea5fce67dc57e5f24d402d116f966c4412e714b9ac385a2189a0b3284b3674c5d941fd4120a969e90dd562f2859884e26444be5885e85cf6725c651
-  data.tar.gz: 1769add45737af42642d49cc762a93499df95e6c766c4e82ec03ed7978fa7535c81daf10b91ce96943286238b72e6faad3c65596075e4cfbc9bdab8eadb97d2e
+  metadata.gz: 38d0789ad10b94338d1ece65b84e4d7dbf60ab320da55ef1921426509ffd4f4516c2457ccad2723a5c98b19fc5e2490e3676dba80496970d03dbec23312a6d3e
+  data.tar.gz: b19dbfc2e2af9202dd6b992fbbf925fd8c8280ef404e8c054e2291f2ffac80b4550c91f7c8502f9c158d0ef6774a6d515dd294f0c7426215795b586a09e1b721

data/CHANGELOG.md

@@ -1,4 +1,10 @@
-## 2.0.0
+# v 2.0.3
+- fix issue #10 : numeric task_id is now well processed
+
+# v 2.0.2
+- fix issue #5 : when code call raises an exception, the error is logged and the event is tagged '_aggregateexception'. It avoids logstash crash.
+
+# v 2.0.0
  - Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully, 
    instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
  - Dependency on logstash-core update to 2.0

data/README.md

@@ -1,5 +1,7 @@
 # Logstash Filter Aggregate Documentation
 
+[![Build Status](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Filters/job/logstash-plugin-filter-aggregate-unit/badge/icon)](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Filters/job/logstash-plugin-filter-aggregate-unit/)
+
 The aim of this filter is to aggregate information available among several events (typically log lines) belonging to a same task, and finally push aggregated information into final task event.
  
 ## Example #1

data/lib/logstash/filters/aggregate.rb

@@ -4,102 +4,102 @@ require "logstash/filters/base"
 require "logstash/namespace"
 require "thread"
 
-#
+# 
 # The aim of this filter is to aggregate information available among several events (typically log lines) belonging to a same task,
 # and finally push aggregated information into final task event.
 # 
 # ==== Example #1
-#
+# 
 # * with these given logs :  
 # [source,ruby]
 # ----------------------------------
-#   INFO - 12345 - TASK_START - start
-#   INFO - 12345 - SQL - sqlQuery1 - 12
-#   INFO - 12345 - SQL - sqlQuery2 - 34
-#   INFO - 12345 - TASK_END - end
+#  INFO - 12345 - TASK_START - start
+#  INFO - 12345 - SQL - sqlQuery1 - 12
+#  INFO - 12345 - SQL - sqlQuery2 - 34
+#  INFO - 12345 - TASK_END - end
 # ----------------------------------
-#
+# 
 # * you can aggregate "sql duration" for the whole task with this configuration :
 # [source,ruby]
 # ----------------------------------
-#     filter {
-#         grok {
-#             match => [ "message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:taskid} - %{NOTSPACE:logger} - %{WORD:label}( - %{INT:duration:int})?" ]
-#         }
-#     
-#         if [logger] == "TASK_START" {
-#             aggregate {
-#                 task_id => "%{taskid}"
-#                 code => "map['sql_duration'] = 0"
-#                 map_action => "create"
-#             }
-#         }
-#     
-#         if [logger] == "SQL" {
-#             aggregate {
-#                 task_id => "%{taskid}"
-#                 code => "map['sql_duration'] += event['duration']"
-#                 map_action => "update"
-#             }
-#         }
-#     
-#         if [logger] == "TASK_END" {
-#             aggregate {
-#                 task_id => "%{taskid}"
-#                 code => "event['sql_duration'] = map['sql_duration']"
-#                 map_action => "update"
-#                 end_of_task => true
-#                 timeout => 120
-#             }
-#         }
-#     }
+#  filter {
+#    grok {
+#      match => [ "message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:taskid} - %{NOTSPACE:logger} - %{WORD:label}( - %{INT:duration:int})?" ]
+#    }
+#  
+#    if [logger] == "TASK_START" {
+#      aggregate {
+#        task_id => "%{taskid}"
+#        code => "map['sql_duration'] = 0"
+#        map_action => "create"
+#      }
+#    }
+# 
+#    if [logger] == "SQL" {
+#      aggregate {
+#        task_id => "%{taskid}"
+#        code => "map['sql_duration'] += event['duration']"
+#        map_action => "update"
+#      }
+#    }
+#  
+#    if [logger] == "TASK_END" {
+#      aggregate {
+#        task_id => "%{taskid}"
+#        code => "event['sql_duration'] = map['sql_duration']"
+#        map_action => "update"
+#        end_of_task => true
+#        timeout => 120
+#      }
+#    }
+#  }
 # ----------------------------------
 #
 # * the final event then looks like :  
 # [source,ruby]
 # ----------------------------------
 # {
-#         "message" => "INFO - 12345 - TASK_END - end message",
-#    "sql_duration" => 46
+#        "message" => "INFO - 12345 - TASK_END - end message",
+#   "sql_duration" => 46
 # }
 # ----------------------------------
-#
+# 
 # the field `sql_duration` is added and contains the sum of all sql queries durations.
-#
+# 
 # ==== Example #2
 # 
 # * If you have the same logs than example #1, but without a start log :
 # [source,ruby]
 # ----------------------------------
-#   INFO - 12345 - SQL - sqlQuery1 - 12
-#   INFO - 12345 - SQL - sqlQuery2 - 34
-#   INFO - 12345 - TASK_END - end
+#  INFO - 12345 - SQL - sqlQuery1 - 12
+#  INFO - 12345 - SQL - sqlQuery2 - 34
+#  INFO - 12345 - TASK_END - end
 # ----------------------------------
-#
+# 
 # * you can also aggregate "sql duration" with a slightly different configuration : 
 # [source,ruby]
 # ----------------------------------
-#     filter {
-#         grok {
-#             match => [ "message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:taskid} - %{NOTSPACE:logger} - %{WORD:label}( - %{INT:duration:int})?" ]
-#         }
+#  filter {
+#    grok {
+#      match => [ "message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:taskid} - %{NOTSPACE:logger} - %{WORD:label}( - %{INT:duration:int})?" ]
+#    }
 #     
-#         if [logger] == "SQL" {
-#             aggregate {
-#                 task_id => "%{taskid}"
-#                 code => "map['sql_duration'] ||= 0 ; map['sql_duration'] += event['duration']"
-#             }
-#         }
+#    if [logger] == "SQL" {
+#      aggregate {
+#        task_id => "%{taskid}"
+#        code => "map['sql_duration'] ||= 0 ; map['sql_duration'] += event['duration']"
+#      }
+#    }
 #     
-#         if [logger] == "TASK_END" {
-#             aggregate {
-#                 task_id => "%{taskid}"
-#                 code => "event['sql_duration'] = map['sql_duration']"
-#                 end_of_task => true
-#                 timeout => 120
-#             }
-#         }
-#     }
+#    if [logger] == "TASK_END" {
+#      aggregate {
+#        task_id => "%{taskid}"
+#        code => "event['sql_duration'] = map['sql_duration']"
+#        end_of_task => true
+#        timeout => 120
+#      }
+#    }
+#  }
 # ----------------------------------
 #
 # * the final event is exactly the same than example #1
@@ -119,159 +119,157 @@ require "thread"
 #
 class LogStash::Filters::Aggregate < LogStash::Filters::Base
 
-	config_name "aggregate"
+  config_name "aggregate"
 
-	# The expression defining task ID to correlate logs.
-	#
-	# This value must uniquely identify the task in the system.
-	#
-	# Example value : "%{application}%{my_task_id}"
-	config :task_id, :validate => :string, :required => true
+  # The expression defining task ID to correlate logs.
+  #
+  # This value must uniquely identify the task in the system.
+  #
+  # Example value : "%{application}%{my_task_id}"
+  config :task_id, :validate => :string, :required => true
 
-	# The code to execute to update map, using current event.
-	#
-	# Or on the contrary, the code to execute to update event, using current map.
-	#
-	# You will have a 'map' variable and an 'event' variable available (that is the event itself).
-	#
-	# Example value : "map['sql_duration'] += event['duration']"
-	config :code, :validate => :string, :required => true
+  # The code to execute to update map, using current event.
+  #
+  # Or on the contrary, the code to execute to update event, using current map.
+  #
+  # You will have a 'map' variable and an 'event' variable available (that is the event itself).
+  #
+  # Example value : "map['sql_duration'] += event['duration']"
+  config :code, :validate => :string, :required => true
 
-	# Tell the filter what to do with aggregate map.
-	#
-	# `create`: create the map, and execute the code only if map wasn't created before
-	#
-	# `update`: doesn't create the map, and execute the code only if map was created before
-	#
-	# `create_or_update`: create the map if it wasn't created before, execute the code in all cases
-	config :map_action, :validate => :string, :default => "create_or_update"
+  # Tell the filter what to do with aggregate map.
+  #
+  # `create`: create the map, and execute the code only if map wasn't created before
+  #
+  # `update`: doesn't create the map, and execute the code only if map was created before
+  #
+  # `create_or_update`: create the map if it wasn't created before, execute the code in all cases
+  config :map_action, :validate => :string, :default => "create_or_update"
 
-	# Tell the filter that task is ended, and therefore, to delete map after code execution.  
-	config :end_of_task, :validate => :boolean, :default => false
+  # Tell the filter that task is ended, and therefore, to delete map after code execution.  
+  config :end_of_task, :validate => :boolean, :default => false
 
-	# The amount of seconds after a task "end event" can be considered lost.
-	#
-	# The task "map" is evicted.
-	#
-	# Default value (`0`) means no timeout so no auto eviction.
-	config :timeout, :validate => :number, :required => false, :default => 0
+  # The amount of seconds after a task "end event" can be considered lost.
+  #
+  # The task "map" is evicted.
+  #
+  # Default value (`0`) means no timeout so no auto eviction.
+  config :timeout, :validate => :number, :required => false, :default => 0
 
-	
-	# Default timeout (in seconds) when not defined in plugin configuration
-	DEFAULT_TIMEOUT = 1800
+  
+  # Default timeout (in seconds) when not defined in plugin configuration
+  DEFAULT_TIMEOUT = 1800
 
-	# This is the state of the filter.
-	# For each entry, key is "task_id" and value is a map freely updatable by 'code' config
-	@@aggregate_maps = {}
+  # This is the state of the filter.
+  # For each entry, key is "task_id" and value is a map freely updatable by 'code' config
+  @@aggregate_maps = {}
 
-	# Mutex used to synchronize access to 'aggregate_maps'
-	@@mutex = Mutex.new
+  # Mutex used to synchronize access to 'aggregate_maps'
+  @@mutex = Mutex.new
 
-	# Aggregate instance which will evict all zombie Aggregate elements (older than timeout)
-	@@eviction_instance = nil
+  # Aggregate instance which will evict all zombie Aggregate elements (older than timeout)
+  @@eviction_instance = nil
 
-	# last time where eviction was launched
-	@@last_eviction_timestamp = nil
+  # last time where eviction was launched
+  @@last_eviction_timestamp = nil
 
-	# Initialize plugin
-	public
-	def register
-		# process lambda expression to call in each filter call
-		eval("@codeblock = lambda { |event, map| #{@code} }", binding, "(aggregate filter code)")
+  # Initialize plugin
+  public
+  def register
+    # process lambda expression to call in each filter call
+    eval("@codeblock = lambda { |event, map| #{@code} }", binding, "(aggregate filter code)")
 
-		# define eviction_instance
-		@@mutex.synchronize do
-			if (@timeout > 0 && (@@eviction_instance.nil? || @timeout < @@eviction_instance.timeout))
-				@@eviction_instance = self
-				@logger.info("Aggregate, timeout: #{@timeout} seconds")
-			end
-		end
-	end
+    # define eviction_instance
+    @@mutex.synchronize do
+      if (@timeout > 0 && (@@eviction_instance.nil? || @timeout < @@eviction_instance.timeout))
+        @@eviction_instance = self
+        @logger.info("Aggregate, timeout: #{@timeout} seconds")
+      end
+    end
+  end
 
-	
-	# This method is invoked each time an event matches the filter
-	public
-	def filter(event)
-		# return nothing unless there's an actual filter event
-		
+  
+  # This method is invoked each time an event matches the filter
+  public
+  def filter(event)
 
-		# define task id
-		task_id = event.sprintf(@task_id)
-		return if task_id.nil? || task_id.empty? || task_id == @task_id
+    # define task id
+    task_id = event.sprintf(@task_id)
+    return if task_id.nil? || task_id == @task_id
 
-		noError = false
+    noError = false
 
-		# protect aggregate_maps against concurrent access, using a mutex
-		@@mutex.synchronize do
-		
-			# retrieve the current aggregate map
-			aggregate_maps_element = @@aggregate_maps[task_id]
-			if (aggregate_maps_element.nil?)
-				return if @map_action == "update"
-				aggregate_maps_element = LogStash::Filters::Aggregate::Element.new(Time.now);
-				@@aggregate_maps[task_id] = aggregate_maps_element
-			else
-				return if @map_action == "create"
-			end
-			map = aggregate_maps_element.map
+    # protect aggregate_maps against concurrent access, using a mutex
+    @@mutex.synchronize do
+    
+      # retrieve the current aggregate map
+      aggregate_maps_element = @@aggregate_maps[task_id]
+      if (aggregate_maps_element.nil?)
+        return if @map_action == "update"
+        aggregate_maps_element = LogStash::Filters::Aggregate::Element.new(Time.now);
+        @@aggregate_maps[task_id] = aggregate_maps_element
+      else
+        return if @map_action == "create"
+      end
+      map = aggregate_maps_element.map
 
-			# execute the code to read/update map and event
-			begin
-				@codeblock.call(event, map)
-				noError = true
-			rescue => exception
-				@logger.error("Aggregate exception occurred. Error: #{exception} ; Code: #{@code} ; Map: #{map} ; EventData: #{event.instance_variable_get('@data')}")
-				event.tag("_aggregateexception")
-			end
-			
-			# delete the map if task is ended
-			@@aggregate_maps.delete(task_id) if @end_of_task
-		end
+      # execute the code to read/update map and event
+      begin
+        @codeblock.call(event, map)
+        noError = true
+      rescue => exception
+        @logger.error("Aggregate exception occurred. Error: #{exception} ; Code: #{@code} ; Map: #{map} ; EventData: #{event.instance_variable_get('@data')}")
+        event.tag("_aggregateexception")
+      end
+      
+      # delete the map if task is ended
+      @@aggregate_maps.delete(task_id) if @end_of_task
+    end
 
-		# match the filter, only if no error occurred
-		filter_matched(event) if noError
-	end
+    # match the filter, only if no error occurred
+    filter_matched(event) if noError
+  end
 
-	# Necessary to indicate logstash to periodically call 'flush' method
-	def periodic_flush
-		true
-	end
+  # Necessary to indicate logstash to periodically call 'flush' method
+  def periodic_flush
+    true
+  end
   
-	# This method is invoked by LogStash every 5 seconds.
-	def flush(options = {})
-		# Protection against no timeout defined by logstash conf : define a default eviction instance with timeout = DEFAULT_TIMEOUT seconds
-		if (@@eviction_instance.nil?)
-			@@eviction_instance = self
-			@timeout = DEFAULT_TIMEOUT
-		end
-		
-		# Launch eviction only every interval of (@timeout / 2) seconds
-		if (@@eviction_instance == self && (@@last_eviction_timestamp.nil? || Time.now > @@last_eviction_timestamp + @timeout / 2))
-			remove_expired_elements()
-			@@last_eviction_timestamp = Time.now
-		end
-		
-		return nil
-	end
+  # This method is invoked by LogStash every 5 seconds.
+  def flush(options = {})
+    # Protection against no timeout defined by logstash conf : define a default eviction instance with timeout = DEFAULT_TIMEOUT seconds
+    if (@@eviction_instance.nil?)
+      @@eviction_instance = self
+      @timeout = DEFAULT_TIMEOUT
+    end
+    
+    # Launch eviction only every interval of (@timeout / 2) seconds
+    if (@@eviction_instance == self && (@@last_eviction_timestamp.nil? || Time.now > @@last_eviction_timestamp + @timeout / 2))
+      remove_expired_elements()
+      @@last_eviction_timestamp = Time.now
+    end
+    
+    return nil
+  end
 
-	
-	# Remove the expired Aggregate elements from "aggregate_maps" if they are older than timeout
-	def remove_expired_elements()
-		min_timestamp = Time.now - @timeout
-		@@mutex.synchronize do
-			@@aggregate_maps.delete_if { |key, element| element.creation_timestamp < min_timestamp }
-		end
-	end
+  
+  # Remove the expired Aggregate elements from "aggregate_maps" if they are older than timeout
+  def remove_expired_elements()
+    min_timestamp = Time.now - @timeout
+    @@mutex.synchronize do
+      @@aggregate_maps.delete_if { |key, element| element.creation_timestamp < min_timestamp }
+    end
+  end
 
 end # class LogStash::Filters::Aggregate
 
 # Element of "aggregate_maps"
 class LogStash::Filters::Aggregate::Element
 
-	attr_accessor :creation_timestamp, :map
+  attr_accessor :creation_timestamp, :map
 
-	def initialize(creation_timestamp)
-		@creation_timestamp = creation_timestamp
-		@map = {}
-	end
+  def initialize(creation_timestamp)
+    @creation_timestamp = creation_timestamp
+    @map = {}
+  end
 end

data/logstash-filter-aggregate.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = 'logstash-filter-aggregate'
-  s.version         = '2.0.2'
+  s.version         = '2.0.3'
   s.licenses = ['Apache License (2.0)']
   s.summary = "The aim of this filter is to aggregate information available among several events (typically log lines) belonging to a same task, and finally push aggregated information into final task event."
   s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
@@ -19,6 +19,6 @@ Gem::Specification.new do |s|
   s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
 
   # Gem dependencies
-  s.add_runtime_dependency "logstash-core", ">= 2.0.0.beta2", "< 3.0.0"
+  s.add_runtime_dependency "logstash-core", ">= 2.0.0", "< 3.0.0"
   s.add_development_dependency 'logstash-devutils', '~> 0'
 end

data/spec/filters/aggregate_spec.rb

@@ -5,173 +5,181 @@ require_relative "aggregate_spec_helper"
 
 describe LogStash::Filters::Aggregate do
 
-	before(:each) do
-		set_eviction_instance(nil)
-		aggregate_maps.clear()
-		@start_filter = setup_filter({ "map_action" => "create", "code" => "map['sql_duration'] = 0" })
-		@update_filter = setup_filter({ "map_action" => "update", "code" => "map['sql_duration'] += event['duration']" })
-		@end_filter = setup_filter({ "map_action" => "update", "code" => "event.to_hash.merge!(map)", "end_of_task" => true, "timeout" => 5 })
-	end
-
-	context "Start event" do
-		describe "and receiving an event without task_id" do
-			it "does not record it" do
-				@start_filter.filter(event())
-				expect(aggregate_maps).to be_empty
-			end
-		end
-		describe "and receiving an event with task_id" do
-			it "records it" do
-				event = start_event("taskid" => "id123")
-				@start_filter.filter(event)
-
-				expect(aggregate_maps.size).to eq(1)
-				expect(aggregate_maps["id123"]).not_to be_nil
-				expect(aggregate_maps["id123"].creation_timestamp).to be >= event["@timestamp"]
-				expect(aggregate_maps["id123"].map["sql_duration"]).to eq(0)
-			end
-		end
-
-		describe "and receiving two 'start events' for the same task_id" do
-			it "keeps the first one and does nothing with the second one" do
-
-				first_start_event = start_event("taskid" => "id124")
-				@start_filter.filter(first_start_event)
-				
-				first_update_event = update_event("taskid" => "id124", "duration" => 2)
-				@update_filter.filter(first_update_event)
-				
-				sleep(1)
-				second_start_event = start_event("taskid" => "id124")
-				@start_filter.filter(second_start_event)
-
-				expect(aggregate_maps.size).to eq(1)
-				expect(aggregate_maps["id124"].creation_timestamp).to be < second_start_event["@timestamp"]
-				expect(aggregate_maps["id124"].map["sql_duration"]).to eq(first_update_event["duration"])
-			end
-		end
-	end
-
-	context "End event" do
-		describe "receiving an event without a previous 'start event'" do
-			describe "but without a previous 'start event'" do
-				it "does nothing with the event" do
-					end_event = end_event("taskid" => "id124")
-					@end_filter.filter(end_event)
-
-					expect(aggregate_maps).to be_empty
-					expect(end_event["sql_duration"]).to be_nil
-				end
-			end
-		end
-	end
-
-	context "Start/end events interaction" do
-		describe "receiving a 'start event'" do
-			before(:each) do
-				@task_id_value = "id_123"
-				@start_event = start_event({"taskid" => @task_id_value})
-				@start_filter.filter(@start_event)
-				expect(aggregate_maps.size).to eq(1)
-			end
-
-			describe "and receiving an end event" do
-				describe "and without an id" do
-					it "does nothing" do
-						end_event = end_event()
-						@end_filter.filter(end_event)
-						expect(aggregate_maps.size).to eq(1)
-						expect(end_event["sql_duration"]).to be_nil
-					end
-				end
-
-				describe "and an id different from the one of the 'start event'" do
-					it "does nothing" do
-						different_id_value = @task_id_value + "_different"
-						@end_filter.filter(end_event("taskid" => different_id_value))
-
-						expect(aggregate_maps.size).to eq(1)
-						expect(aggregate_maps[@task_id_value]).not_to be_nil
-					end
-				end
-
-				describe "and the same id of the 'start event'" do
-					it "add 'sql_duration' field to the end event and deletes the aggregate map associated to taskid" do
-						expect(aggregate_maps.size).to eq(1)
-
-						@update_filter.filter(update_event("taskid" => @task_id_value, "duration" => 2))
-
-						end_event = end_event("taskid" => @task_id_value)
-						@end_filter.filter(end_event)
-
-						expect(aggregate_maps).to be_empty
-						expect(end_event["sql_duration"]).to eq(2)
-					end
-
-				end
-			end
-		end
-	end
-
-	context "Event which causes an exception when code call" do
-		it "intercepts exception, logs the error and tags the event with '_aggregateexception'" do
-			@start_filter = setup_filter({ "code" => "fail 'Test'" })
-			start_event = start_event("taskid" => "id124")
-			@start_filter.filter(start_event)
-
-			expect(start_event["tags"]).to eq(["_aggregateexception"])
-		end
-	end
-
-	context "flush call" do
-		before(:each) do
-			@end_filter.timeout = 1
-			expect(@end_filter.timeout).to eq(1)
-			@task_id_value = "id_123"
-			@start_event = start_event({"taskid" => @task_id_value})
-			@start_filter.filter(@start_event)
-			expect(aggregate_maps.size).to eq(1)
-		end
-
-		describe "no timeout defined in none filter" do
-			it "defines a default timeout on a default filter" do
-				set_eviction_instance(nil)
-				expect(eviction_instance).to be_nil
-				@end_filter.flush()
-				expect(eviction_instance).to eq(@end_filter)
-				expect(@end_filter.timeout).to eq(LogStash::Filters::Aggregate::DEFAULT_TIMEOUT)
-			end
-		end
-
-		describe "timeout is defined on another filter" do
-			it "eviction_instance is not updated" do
-				expect(eviction_instance).not_to be_nil
-				@start_filter.flush()
-				expect(eviction_instance).not_to eq(@start_filter)
-				expect(eviction_instance).to eq(@end_filter)
-			end
-		end
-
-		describe "no timeout defined on the filter" do
-			it "event is not removed" do
-				sleep(2)
-				@start_filter.flush()
-				expect(aggregate_maps.size).to eq(1)
-			end
-		end
-
-		describe "timeout defined on the filter" do
-			it "event is not removed if not expired" do
-				@end_filter.flush()
-				expect(aggregate_maps.size).to eq(1)
-			end
-			it "event is removed if expired" do
-				sleep(2)
-				@end_filter.flush()
-				expect(aggregate_maps).to be_empty
-			end
-		end
-
-	end
+  before(:each) do
+    set_eviction_instance(nil)
+    aggregate_maps.clear()
+    @start_filter = setup_filter({ "map_action" => "create", "code" => "map['sql_duration'] = 0" })
+    @update_filter = setup_filter({ "map_action" => "update", "code" => "map['sql_duration'] += event['duration']" })
+    @end_filter = setup_filter({ "map_action" => "update", "code" => "event.to_hash.merge!(map)", "end_of_task" => true, "timeout" => 5 })
+  end
+
+  context "Start event" do
+    describe "and receiving an event without task_id" do
+      it "does not record it" do
+        @start_filter.filter(event())
+        expect(aggregate_maps).to be_empty
+      end
+    end
+    describe "and receiving an event with task_id" do
+      it "records it" do
+        event = start_event("taskid" => "id123")
+        @start_filter.filter(event)
+
+        expect(aggregate_maps.size).to eq(1)
+        expect(aggregate_maps["id123"]).not_to be_nil
+        expect(aggregate_maps["id123"].creation_timestamp).to be >= event["@timestamp"]
+        expect(aggregate_maps["id123"].map["sql_duration"]).to eq(0)
+      end
+    end
+
+    describe "and receiving two 'start events' for the same task_id" do
+      it "keeps the first one and does nothing with the second one" do
+
+        first_start_event = start_event("taskid" => "id124")
+        @start_filter.filter(first_start_event)
+        
+        first_update_event = update_event("taskid" => "id124", "duration" => 2)
+        @update_filter.filter(first_update_event)
+        
+        sleep(1)
+        second_start_event = start_event("taskid" => "id124")
+        @start_filter.filter(second_start_event)
+
+        expect(aggregate_maps.size).to eq(1)
+        expect(aggregate_maps["id124"].creation_timestamp).to be < second_start_event["@timestamp"]
+        expect(aggregate_maps["id124"].map["sql_duration"]).to eq(first_update_event["duration"])
+      end
+    end
+  end
+
+  context "End event" do
+    describe "receiving an event without a previous 'start event'" do
+      describe "but without a previous 'start event'" do
+        it "does nothing with the event" do
+          end_event = end_event("taskid" => "id124")
+          @end_filter.filter(end_event)
+
+          expect(aggregate_maps).to be_empty
+          expect(end_event["sql_duration"]).to be_nil
+        end
+      end
+    end
+  end
+
+  context "Start/end events interaction" do
+    describe "receiving a 'start event'" do
+      before(:each) do
+        @task_id_value = "id_123"
+        @start_event = start_event({"taskid" => @task_id_value})
+        @start_filter.filter(@start_event)
+        expect(aggregate_maps.size).to eq(1)
+      end
+
+      describe "and receiving an end event" do
+        describe "and without an id" do
+          it "does nothing" do
+            end_event = end_event()
+            @end_filter.filter(end_event)
+            expect(aggregate_maps.size).to eq(1)
+            expect(end_event["sql_duration"]).to be_nil
+          end
+        end
+
+        describe "and an id different from the one of the 'start event'" do
+          it "does nothing" do
+            different_id_value = @task_id_value + "_different"
+            @end_filter.filter(end_event("taskid" => different_id_value))
+
+            expect(aggregate_maps.size).to eq(1)
+            expect(aggregate_maps[@task_id_value]).not_to be_nil
+          end
+        end
+
+        describe "and the same id of the 'start event'" do
+          it "add 'sql_duration' field to the end event and deletes the aggregate map associated to taskid" do
+            expect(aggregate_maps.size).to eq(1)
+
+            @update_filter.filter(update_event("taskid" => @task_id_value, "duration" => 2))
+
+            end_event = end_event("taskid" => @task_id_value)
+            @end_filter.filter(end_event)
+
+            expect(aggregate_maps).to be_empty
+            expect(end_event["sql_duration"]).to eq(2)
+          end
+
+        end
+      end
+    end
+  end
+
+  context "Event with integer task id" do
+    it "works as well as with a string task id" do
+      start_event = start_event("taskid" => 124)
+      @start_filter.filter(start_event)
+      expect(aggregate_maps.size).to eq(1)
+    end
+  end
+
+  context "Event which causes an exception when code call" do
+    it "intercepts exception, logs the error and tags the event with '_aggregateexception'" do
+      @start_filter = setup_filter({ "code" => "fail 'Test'" })
+      start_event = start_event("taskid" => "id124")
+      @start_filter.filter(start_event)
+
+      expect(start_event["tags"]).to eq(["_aggregateexception"])
+    end
+  end
+
+  context "flush call" do
+    before(:each) do
+      @end_filter.timeout = 1
+      expect(@end_filter.timeout).to eq(1)
+      @task_id_value = "id_123"
+      @start_event = start_event({"taskid" => @task_id_value})
+      @start_filter.filter(@start_event)
+      expect(aggregate_maps.size).to eq(1)
+    end
+
+    describe "no timeout defined in none filter" do
+      it "defines a default timeout on a default filter" do
+        set_eviction_instance(nil)
+        expect(eviction_instance).to be_nil
+        @end_filter.flush()
+        expect(eviction_instance).to eq(@end_filter)
+        expect(@end_filter.timeout).to eq(LogStash::Filters::Aggregate::DEFAULT_TIMEOUT)
+      end
+    end
+
+    describe "timeout is defined on another filter" do
+      it "eviction_instance is not updated" do
+        expect(eviction_instance).not_to be_nil
+        @start_filter.flush()
+        expect(eviction_instance).not_to eq(@start_filter)
+        expect(eviction_instance).to eq(@end_filter)
+      end
+    end
+
+    describe "no timeout defined on the filter" do
+      it "event is not removed" do
+        sleep(2)
+        @start_filter.flush()
+        expect(aggregate_maps.size).to eq(1)
+      end
+    end
+
+    describe "timeout defined on the filter" do
+      it "event is not removed if not expired" do
+        @end_filter.flush()
+        expect(aggregate_maps.size).to eq(1)
+      end
+      it "event is removed if expired" do
+        sleep(2)
+        @end_filter.flush()
+        expect(aggregate_maps).to be_empty
+      end
+    end
+
+  end
 
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: logstash-filter-aggregate
 version: !ruby/object:Gem::Version
-  version: 2.0.2
+  version: 2.0.3
 platform: ruby
 authors:
 - Elastic
@@ -9,58 +9,58 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-10-14 00:00:00.000000000 Z
+date: 2015-11-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  requirement: !ruby/object:Gem::Requirement
+  name: logstash-core
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: 2.0.0.beta2
+        version: 2.0.0
     - - <
       - !ruby/object:Gem::Version
         version: 3.0.0
-  name: logstash-core
-  prerelease: false
-  type: :runtime
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: 2.0.0.beta2
+        version: 2.0.0
     - - <
       - !ruby/object:Gem::Version
         version: 3.0.0
+  prerelease: false
+  type: :runtime
 - !ruby/object:Gem::Dependency
-  requirement: !ruby/object:Gem::Requirement
+  name: logstash-devutils
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '0'
-  name: logstash-devutils
-  prerelease: false
-  type: :development
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '0'
+  prerelease: false
+  type: :development
 description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
 email: info@elastic.co
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- lib/logstash/filters/aggregate.rb
+- spec/filters/aggregate_spec.rb
+- spec/filters/aggregate_spec_helper.rb
+- logstash-filter-aggregate.gemspec
 - BUILD.md
 - CHANGELOG.md
+- README.md
 - CONTRIBUTORS
 - Gemfile
 - LICENSE
-- README.md
-- lib/logstash/filters/aggregate.rb
-- logstash-filter-aggregate.gemspec
-- spec/filters/aggregate_spec.rb
-- spec/filters/aggregate_spec_helper.rb
 homepage: https://github.com/logstash-plugins/logstash-filter-aggregate
 licenses:
 - Apache License (2.0)
@@ -83,7 +83,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.4.8
+rubygems_version: 2.1.9
 signing_key:
 specification_version: 4
 summary: The aim of this filter is to aggregate information available among several events (typically log lines) belonging to a same task, and finally push aggregated information into final task event.