RubyGems - logstash-filter-aggregate - Versions diffs - 2.5.1 → 2.5.2 - Mend

logstash-filter-aggregate 2.5.1 → 2.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml +4 -4
data/BUILD.md +81 -81
data/CHANGELOG.md +71 -65
data/CONTRIBUTORS +14 -14
data/Gemfile +2 -2
data/LICENSE +13 -13
data/NOTICE.txt +4 -4
data/README.md +327 -296
data/lib/logstash/filters/aggregate.rb +685 -642
data/logstash-filter-aggregate.gemspec +26 -26
data/spec/filters/aggregate_spec.rb +315 -301
data/spec/filters/aggregate_spec_helper.rb +63 -63
metadata +2 -2

data/lib/logstash/filters/aggregate.rb CHANGED

@@ -1,643 +1,686 @@
-# encoding: utf-8
-require "logstash/filters/base"
-require "logstash/namespace"
-require "thread"
-require "logstash/util/decorators"
-#
-# The aim of this filter is to aggregate information available among several events (typically log lines) belonging to a same task,
-# and finally push aggregated information into final task event.
-#
-# You should be very careful to set logstash filter workers to 1 (`-w 1` flag) for this filter to work correctly
-# otherwise events may be processed out of sequence and unexpected results will occur.
-#
-# ==== Example #1
-#
-# * with these given logs :
-# [source,ruby]
-# ----------------------------------
-#  INFO - 12345 - TASK_START - start
-#  INFO - 12345 - SQL - sqlQuery1 - 12
-#  INFO - 12345 - SQL - sqlQuery2 - 34
-#  INFO - 12345 - TASK_END - end
-# ----------------------------------
-#
-# * you can aggregate "sql duration" for the whole task with this configuration :
-# [source,ruby]
-# ----------------------------------
-#  filter {
-#    grok {
-#      match => [ "message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:taskid} - %{NOTSPACE:logger} - %{WORD:label}( - %{INT:duration:int})?" ]
-#    }
-#
-#    if [logger] == "TASK_START" {
-#      aggregate {
-#        task_id => "%{taskid}"
-#        code => "map['sql_duration'] = 0"
-#        map_action => "create"
-#      }
-#    }
-#
-#    if [logger] == "SQL" {
-#      aggregate {
-#        task_id => "%{taskid}"
-#        code => "map['sql_duration'] += event.get('duration')"
-#        map_action => "update"
-#      }
-#    }
-#
-#    if [logger] == "TASK_END" {
-#      aggregate {
-#        task_id => "%{taskid}"
-#        code => "event.set('sql_duration', map['sql_duration'])"
-#        map_action => "update"
-#        end_of_task => true
-#        timeout => 120
-#      }
-#    }
-#  }
-# ----------------------------------
-#
-# * the final event then looks like :
-# [source,ruby]
-# ----------------------------------
-# {
-#        "message" => "INFO - 12345 - TASK_END - end message",
-#   "sql_duration" => 46
-# }
-# ----------------------------------
-#
-# the field `sql_duration` is added and contains the sum of all sql queries durations.
-#
-# ==== Example #2 : no start event
-#
-# * If you have the same logs than example #1, but without a start log :
-# [source,ruby]
-# ----------------------------------
-#  INFO - 12345 - SQL - sqlQuery1 - 12
-#  INFO - 12345 - SQL - sqlQuery2 - 34
-#  INFO - 12345 - TASK_END - end
-# ----------------------------------
-#
-# * you can also aggregate "sql duration" with a slightly different configuration :
-# [source,ruby]
-# ----------------------------------
-#  filter {
-#    grok {
-#      match => [ "message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:taskid} - %{NOTSPACE:logger} - %{WORD:label}( - %{INT:duration:int})?" ]
-#    }
-#
-#    if [logger] == "SQL" {
-#      aggregate {
-#        task_id => "%{taskid}"
-#        code => "map['sql_duration'] ||= 0 ; map['sql_duration'] += event.get('duration')"
-#      }
-#    }
-#
-#    if [logger] == "TASK_END" {
-#      aggregate {
-#        task_id => "%{taskid}"
-#        code => "event.set('sql_duration', map['sql_duration'])"
-#        end_of_task => true
-#        timeout => 120
-#      }
-#    }
-#  }
-# ----------------------------------
-#
-# * the final event is exactly the same than example #1
-# * the key point is the "||=" ruby operator. It allows to initialize 'sql_duration' map entry to 0 only if this map entry is not already initialized
-#
-#
-# ==== Example #3 : no end event
-#
-# Third use case: You have no specific end event.
-#
-# A typical case is aggregating or tracking user behaviour. We can track a user by its ID through the events, however once the user stops interacting, the events stop coming in. There is no specific event indicating the end of the user's interaction.
-#
-# In this case, we can enable the option 'push_map_as_event_on_timeout' to enable pushing the aggregation map as a new event when a timeout occurs.
-# In addition, we can enable 'timeout_code' to execute code on the populated timeout event.
-# We can also add 'timeout_task_id_field' so we can correlate the task_id, which in this case would be the user's ID.
-#
-# * Given these logs:
-#
-# [source,ruby]
-# ----------------------------------
-# INFO - 12345 - Clicked One
-# INFO - 12345 - Clicked Two
-# INFO - 12345 - Clicked Three
-# ----------------------------------
-#
-# * You can aggregate the amount of clicks the user did like this:
-#
-# [source,ruby]
-# ----------------------------------
-# filter {
-#   grok {
-#     match => [ "message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:user_id} - %{GREEDYDATA:msg_text}" ]
-#   }
-#
-#   aggregate {
-#     task_id => "%{user_id}"
-#     code => "map['clicks'] ||= 0; map['clicks'] += 1;"
-#     push_map_as_event_on_timeout => true
-#     timeout_task_id_field => "user_id"
-#     timeout => 600 # 10 minutes timeout
-#     timeout_tags => ['_aggregatetimeout']
-#     timeout_code => "event.set('several_clicks', event.get('clicks') > 1)"
-#   }
-# }
-# ----------------------------------
-#
-# * After ten minutes, this will yield an event like:
-#
-# [source,json]
-# ----------------------------------
-# {
-#   "user_id": "12345",
-#   "clicks": 3,
-#   "several_clicks": true,
-#     "tags": [
-#        "_aggregatetimeout"
-#     ]
-# }
-# ----------------------------------
-#
-# ==== Example #4 : no end event and tasks come one after the other
-#
-# Fourth use case : like example #3, you have no specific end event, but also, tasks come one after the other.
-# That is to say : tasks are not interlaced. All task1 events come, then all task2 events come, ...
-# In that case, you don't want to wait task timeout to flush aggregation map.
-# * A typical case is aggregating results from jdbc input plugin.
-# * Given that you have this SQL query : `SELECT country_name, town_name FROM town`
-# * Using jdbc input plugin, you get these 3 events from :
-# [source,json]
-# ----------------------------------
-#   { "country_name": "France", "town_name": "Paris" }
-#   { "country_name": "France", "town_name": "Marseille" }
-#   { "country_name": "USA", "town_name": "New-York" }
-# ----------------------------------
-# * And you would like these 2 result events to push them into elasticsearch :
-# [source,json]
-# ----------------------------------
-#   { "country_name": "France", "town_name": [ "Paris", "Marseille" ] }
-#   { "country_name": "USA", "town_name": [ "New-York" ] }
-# ----------------------------------
-# * You can do that using `push_previous_map_as_event` aggregate plugin option :
-# [source,ruby]
-# ----------------------------------
-#      filter {
-#      aggregate {
-#          task_id => "%{country_name}"
-#          code => "
-#           map['town_name'] ||= []
-#           event.to_hash.each do |key,value|
-#             map[key] = value unless map.has_key?(key)
-#             map[key] << value if map[key].is_a?(Array) and !value.is_a?(Array)
-#           end
-#          "
-#          push_previous_map_as_event => true
-#          timeout => 5
-#          timeout_tags => ['aggregated']
-#      }
-#
-#      if "aggregated" not in [tags] {
-#       drop {}
-#      }
-#    }
-# ----------------------------------
-# * The key point is that each time aggregate plugin detects a new `country_name`, it pushes previous aggregate map as a new logstash event (with 'aggregated' tag), and then creates a new empty map for the next country
-# * When 5s timeout comes, the last aggregate map is pushed as a new event
-# * Finally, initial events (which are not aggregated) are dropped because useless
-#
-#
-# ==== How it works
-# * the filter needs a "task_id" to correlate events (log lines) of a same task
-# * at the task beggining, filter creates a map, attached to task_id
-# * for each event, you can execute code using 'event' and 'map' (for instance, copy an event field to map)
-# * in the final event, you can execute a last code (for instance, add map data to final event)
-# * after the final event, the map attached to task is deleted
-# * in one filter configuration, it is recommanded to define a timeout option to protect the feature against unterminated tasks. It tells the filter to delete expired maps
-# * if no timeout is defined, by default, all maps older than 1800 seconds are automatically deleted
-# * all timeout options have to be defined in only one aggregate filter per task_id pattern. Timeout options are : timeout, timeout_code, push_map_as_event_on_timeout, push_previous_map_as_event, timeout_task_id_field, timeout_tags
-# * if `code` execution raises an exception, the error is logged and event is tagged '_aggregateexception'
-#
-#
-# ==== Use Cases
-# * extract some cool metrics from task logs and push them into task final log event (like in example #1 and #2)
-# * extract error information in any task log line, and push it in final task event (to get a final event with all error information if any)
-# * extract all back-end calls as a list, and push this list in final task event (to get a task profile)
-# * extract all http headers logged in several lines to push this list in final task event (complete http request info)
-# * for every back-end call, collect call details available on several lines, analyse it and finally tag final back-end call log line (error, timeout, business-warning, ...)
-# * Finally, task id can be any correlation id matching your need : it can be a session id, a file path, ...
-#
-#
-class LogStash::Filters::Aggregate < LogStash::Filters::Base
-  config_name "aggregate"
-  # The expression defining task ID to correlate logs.
-  #
-  # This value must uniquely identify the task in the system.
-  #
-  # Example value : "%{application}%{my_task_id}"
-  config :task_id, :validate => :string, :required => true
-  # The code to execute to update map, using current event.
-  #
-  # Or on the contrary, the code to execute to update event, using current map.
-  #
-  # You will have a 'map' variable and an 'event' variable available (that is the event itself).
-  #
-  # Example value : `"map['sql_duration'] += event.get('duration')"`
-  config :code, :validate => :string, :required => true
-  # Tell the filter what to do with aggregate map.
-  #
-  # `create`: create the map, and execute the code only if map wasn't created before
-  #
-  # `update`: doesn't create the map, and execute the code only if map was created before
-  #
-  # `create_or_update`: create the map if it wasn't created before, execute the code in all cases
-  config :map_action, :validate => :string, :default => "create_or_update"
-  # Tell the filter that task is ended, and therefore, to delete aggregate map after code execution.
-  config :end_of_task, :validate => :boolean, :default => false
-  # The path to file where aggregate maps are stored when logstash stops
-  # and are loaded from when logstash starts.
-  #
-  # If not defined, aggregate maps will not be stored at logstash stop and will be lost.
-  # Must be defined in only one aggregate filter (as aggregate maps are global).
-  #
-  # Example value : `"/path/to/.aggregate_maps"`
-  config :aggregate_maps_path, :validate => :string, :required => false
-  # The amount of seconds after a task "end event" can be considered lost.
-  #
-  # When timeout occurs for a task, The task "map" is evicted.
-  #
-  # Timeout can be defined for each "task_id" pattern.
-  #
-  # If no timeout is defined, default timeout will be applied : 1800 seconds.
-  config :timeout, :validate => :number, :required => false
-  # The code to execute to complete timeout generated event, when 'push_map_as_event_on_timeout' or 'push_previous_map_as_event' is set to true.
-  # The code block will have access to the newly generated timeout event that is pre-populated with the aggregation map.
-  #
-  # If 'timeout_task_id_field' is set, the event is also populated with the task_id value
-  #
-  # Example value: `"event.set('state', 'timeout')"`
-  config :timeout_code, :validate => :string, :required => false
-  # When this option is enabled, each time a task timeout is detected, it pushes task aggregation map as a new logstash event.
-  # This enables to detect and process task timeouts in logstash, but also to manage tasks that have no explicit end event.
-  config :push_map_as_event_on_timeout, :validate => :boolean, :required => false, :default => false
-  # When this option is enabled, each time aggregate plugin detects a new task id, it pushes previous aggregate map as a new logstash event,
-  # and then creates a new empty map for the next task.
-  #
-  # WARNING: this option works fine only if tasks come one after the other. It means : all task1 events, then all task2 events, etc...
-  config :push_previous_map_as_event, :validate => :boolean, :required => false, :default => false
-  # This option indicates the timeout generated event's field for the "task_id" value.
-  # The task id will then be set into the timeout event. This can help correlate which tasks have been timed out.
-  #
-  # This field has no default value and will not be set on the event if not configured.
-  #
-  # Example:
-  #
-  # If the task_id is "12345" and this field is set to "my_id", the generated timeout event will contain `'my_id'` key with `'12345'` value.
-  config :timeout_task_id_field, :validate => :string, :required => false
-  # Defines tags to add when a timeout event is generated and yield
-  config :timeout_tags, :validate => :array, :required => false, :default => []
-  # STATIC VARIABLES
-  # Default timeout (in seconds) when not defined in plugin configuration
-  DEFAULT_TIMEOUT = 1800
-  # This is the state of the filter.
-  # For each entry, key is "task_id" and value is a map freely updatable by 'code' config
-  @@aggregate_maps = {}
-  # Mutex used to synchronize access to 'aggregate_maps'
-  @@mutex = Mutex.new
-  # Default timeout for task_id patterns where timeout is not defined in logstash filter configuration
-  @@default_timeout = nil
-  # For each "task_id" pattern, defines which Aggregate instance will process flush() call, processing expired Aggregate elements (older than timeout)
-  # For each entry, key is "task_id pattern" and value is "aggregate instance"
-  @@flush_instance_map = {}
-  # last time where timeout management in flush() method was launched, per "task_id" pattern
-  @@last_flush_timestamp_map = {}
-  # flag indicating if aggregate_maps_path option has been already set on one aggregate instance
-  @@aggregate_maps_path_set = false
-  # defines which Aggregate instance will close Aggregate static variables
-  @@static_close_instance = nil
-  # Initialize plugin
-  public
-  def register
-    @logger.debug("Aggregate register call", :code => @code)
-    # process lambda expression to call in each filter call
-    eval("@codeblock = lambda { |event, map| #{@code} }", binding, "(aggregate filter code)")
-    # process lambda expression to call in the timeout case or previous event case
-    if @timeout_code
-      eval("@timeout_codeblock = lambda { |event| #{@timeout_code} }", binding, "(aggregate filter timeout code)")
-    end
-    @@mutex.synchronize do
-      # timeout management : define eviction_instance for current task_id pattern
-      if has_timeout_options?
-        if @@flush_instance_map.has_key?(@task_id)
-          # all timeout options have to be defined in only one aggregate filter per task_id pattern
-          raise LogStash::ConfigurationError, "Aggregate plugin: For task_id pattern #{@task_id}, there are more than one filter which defines timeout options. All timeout options have to be defined in only one aggregate filter per task_id pattern. Timeout options are : #{display_timeout_options}"
-        end
-        @@flush_instance_map[@task_id] = self
-        @logger.debug("Aggregate timeout for '#{@task_id}' pattern: #{@timeout} seconds")
-      end
-      # timeout management : define default_timeout
-      if !@timeout.nil? && (@@default_timeout.nil? || @timeout < @@default_timeout)
-        @@default_timeout = @timeout
-        @logger.debug("Aggregate default timeout: #{@timeout} seconds")
-      end
-      # reinit static_close_instance (if necessary)
-      if !@@aggregate_maps_path_set && !@@static_close_instance.nil?
-        @@static_close_instance = nil
-      end
-      # check if aggregate_maps_path option has already been set on another instance else set @@aggregate_maps_path_set
-      if !@aggregate_maps_path.nil?
-        if @@aggregate_maps_path_set
-          @@aggregate_maps_path_set = false
-          raise LogStash::ConfigurationError, "Aggregate plugin: Option 'aggregate_maps_path' must be set on only one aggregate filter"
-        else
-          @@aggregate_maps_path_set = true
-          @@static_close_instance = self
-        end
-      end
-      # load aggregate maps from file (if option defined)
-      if !@aggregate_maps_path.nil? && File.exist?(@aggregate_maps_path)
-        File.open(@aggregate_maps_path, "r") { |from_file| @@aggregate_maps = Marshal.load(from_file) }
-        File.delete(@aggregate_maps_path)
-        @logger.info("Aggregate maps loaded from : #{@aggregate_maps_path}")
-      end
-      # init aggregate_maps
-      @@aggregate_maps[@task_id] ||= {}
-    end
-  end
-  # Called when logstash stops
-  public
-  def close
-    @logger.debug("Aggregate close call", :code => @code)
-    # define static close instance if none is already defined
-    @@static_close_instance = self if @@static_close_instance.nil?
-    if @@static_close_instance == self
-      # store aggregate maps to file (if option defined)
-      @@mutex.synchronize do
-        @@aggregate_maps.delete_if { |key, value| value.empty? }
-        if !@aggregate_maps_path.nil? && !@@aggregate_maps.empty?
-          File.open(@aggregate_maps_path, "w"){ |to_file| Marshal.dump(@@aggregate_maps, to_file) }
-          @logger.info("Aggregate maps stored to : #{@aggregate_maps_path}")
-        end
-        @@aggregate_maps.clear()
-      end
-      # reinit static variables for logstash reload
-      @@default_timeout = nil
-      @@flush_instance_map = {}
-      @@last_flush_timestamp_map = {}
-      @@aggregate_maps_path_set = false
-    end
-  end
-  # This method is invoked each time an event matches the filter
-  public
-  def filter(event)
-    # define task id
-    task_id = event.sprintf(@task_id)
-    return if task_id.nil? || task_id == @task_id
-    noError = false
-    event_to_yield = nil
-    # protect aggregate_maps against concurrent access, using a mutex
-    @@mutex.synchronize do
-      # retrieve the current aggregate map
-      aggregate_maps_element = @@aggregate_maps[@task_id][task_id]
-      # create aggregate map, if it doesn't exist
-      if aggregate_maps_element.nil?
-        return if @map_action == "update"
-        # create new event from previous map, if @push_previous_map_as_event is enabled
-        if @push_previous_map_as_event && !@@aggregate_maps[@task_id].empty?
-          event_to_yield = extract_previous_map_as_event()
-        end
-        aggregate_maps_element = LogStash::Filters::Aggregate::Element.new(Time.now);
-        @@aggregate_maps[@task_id][task_id] = aggregate_maps_element
-      else
-        return if @map_action == "create"
-      end
-      map = aggregate_maps_element.map
-      # execute the code to read/update map and event
-      begin
-        @codeblock.call(event, map)
-        @logger.debug("Aggregate successful filter code execution", :code => @code)
-        noError = true
-      rescue => exception
-        @logger.error("Aggregate exception occurred",
-                      :error => exception,
-                      :code => @code,
-                      :map => map,
-                      :event_data => event.to_hash_with_metadata)
-        event.tag("_aggregateexception")
-      end
-      # delete the map if task is ended
-      @@aggregate_maps[@task_id].delete(task_id) if @end_of_task
-    end
-    # match the filter, only if no error occurred
-    filter_matched(event) if noError
-    # yield previous map as new event if set
-    yield event_to_yield unless event_to_yield.nil?
-  end
-  # Create a new event from the aggregation_map and the corresponding task_id
-  # This will create the event and
-  #  if @timeout_task_id_field is set, it will set the task_id on the timeout event
-  #  if @timeout_code is set, it will execute the timeout code on the created timeout event
-  # returns the newly created event
-  def create_timeout_event(aggregation_map, task_id)
-    @logger.debug("Aggregate create_timeout_event call with task_id '#{task_id}'")
-    event_to_yield = LogStash::Event.new(aggregation_map)
-    if @timeout_task_id_field
-      event_to_yield.set(@timeout_task_id_field, task_id)
-    end
-    LogStash::Util::Decorators.add_tags(@timeout_tags, event_to_yield, "filters/#{self.class.name}")
-    # Call code block if available
-    if @timeout_code
-      begin
-        @timeout_codeblock.call(event_to_yield)
-      rescue => exception
-        @logger.error("Aggregate exception occurred",
-                      :error => exception,
-                      :timeout_code => @timeout_code,
-                      :timeout_event_data => event_to_yield.to_hash_with_metadata)
-        event_to_yield.tag("_aggregateexception")
-      end
-    end
-    return event_to_yield
-  end
-  # Extract the previous map in aggregate maps, and return it as a new Logstash event
-  def extract_previous_map_as_event
-    previous_entry = @@aggregate_maps[@task_id].shift()
-    previous_task_id = previous_entry[0]
-    previous_map = previous_entry[1].map
-    return create_timeout_event(previous_map, previous_task_id)
-  end
-  # Necessary to indicate logstash to periodically call 'flush' method
-  def periodic_flush
-    true
-  end
-  # This method is invoked by LogStash every 5 seconds.
-  def flush(options = {})
-    @logger.debug("Aggregate flush call with #{options}")
-    # Protection against no timeout defined by logstash conf : define a default eviction instance with timeout = DEFAULT_TIMEOUT seconds
-    if @@default_timeout.nil?
-      @@default_timeout = DEFAULT_TIMEOUT
-    end
-    if !@@flush_instance_map.has_key?(@task_id)
-      @@flush_instance_map[@task_id] = self
-      @timeout = @@default_timeout
-    elsif @@flush_instance_map[@task_id].timeout.nil?
-      @@flush_instance_map[@task_id].timeout = @@default_timeout
-    end
-    # Launch timeout management only every interval of (@timeout / 2) seconds or at Logstash shutdown
-    if @@flush_instance_map[@task_id] == self && (!@@last_flush_timestamp_map.has_key?(@task_id) || Time.now > @@last_flush_timestamp_map[@task_id] + @timeout / 2 || options[:final])
-      events_to_flush = remove_expired_maps()
-      # at Logstash shutdown, if push_previous_map_as_event is enabled, it's important to force flush (particularly for jdbc input plugin)
-      if options[:final] && @push_previous_map_as_event && !@@aggregate_maps[@task_id].empty?
-        events_to_flush << extract_previous_map_as_event()
-      end
-      # tag flushed events, indicating "final flush" special event
-      if options[:final]
-        events_to_flush.each { |event_to_flush| event_to_flush.tag("_aggregatefinalflush") }
-      end
-      # update last flush timestamp
-      @@last_flush_timestamp_map[@task_id] = Time.now
-      # return events to flush into Logstash pipeline
-      return events_to_flush
-    else
-      return []
-    end
-  end
-  # Remove the expired Aggregate maps from @@aggregate_maps if they are older than timeout.
-  # If @push_previous_map_as_event option is set, or @push_map_as_event_on_timeout is set, expired maps are returned as new events to be flushed to Logstash pipeline.
-  def remove_expired_maps()
-    events_to_flush = []
-    min_timestamp = Time.now - @timeout
-    @@mutex.synchronize do
-      @logger.debug("Aggregate remove_expired_maps call with '#{@task_id}' pattern and #{@@aggregate_maps[@task_id].length} maps")
-      @@aggregate_maps[@task_id].delete_if do |key, element|
-        if element.creation_timestamp < min_timestamp
-          if @push_previous_map_as_event || @push_map_as_event_on_timeout
-            events_to_flush << create_timeout_event(element.map, key)
-          end
-          next true
-        end
-        next false
-      end
-    end
-    return events_to_flush
-  end
-  # return if this filter instance has any timeout option enabled in logstash configuration
-  def has_timeout_options?()
-    return (
-      timeout ||
-      timeout_code ||
-      push_map_as_event_on_timeout ||
-      push_previous_map_as_event ||
-      timeout_task_id_field ||
-      !timeout_tags.empty?
-    )
-  end
-  # display all possible timeout options
-  def display_timeout_options()
-    return [
-      "timeout",
-      "timeout_code",
-      "push_map_as_event_on_timeout",
-      "push_previous_map_as_event",
-      "timeout_task_id_field",
-      "timeout_tags"
-    ].join(", ")
-  end
-end # class LogStash::Filters::Aggregate
-# Element of "aggregate_maps"
-class LogStash::Filters::Aggregate::Element
-  attr_accessor :creation_timestamp, :map
-  def initialize(creation_timestamp)
-    @creation_timestamp = creation_timestamp
-    @map = {}
-  end
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+require "thread"
+require "logstash/util/decorators"
+#
+# The aim of this filter is to aggregate information available among several events (typically log lines) belonging to a same task,
+# and finally push aggregated information into final task event.
+#
+# You should be very careful to set Logstash filter workers to 1 (`-w 1` flag) for this filter to work correctly
+# otherwise events may be processed out of sequence and unexpected results will occur.
+#
+# ==== Example #1
+#
+# * with these given logs :
+# [source,ruby]
+# ----------------------------------
+#  INFO - 12345 - TASK_START - start
+#  INFO - 12345 - SQL - sqlQuery1 - 12
+#  INFO - 12345 - SQL - sqlQuery2 - 34
+#  INFO - 12345 - TASK_END - end
+# ----------------------------------
+#
+# * you can aggregate "sql duration" for the whole task with this configuration :
+# [source,ruby]
+# ----------------------------------
+#  filter {
+#    grok {
+#      match => [ "message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:taskid} - %{NOTSPACE:logger} - %{WORD:label}( - %{INT:duration:int})?" ]
+#    }
+#
+#    if [logger] == "TASK_START" {
+#      aggregate {
+#        task_id => "%{taskid}"
+#        code => "map['sql_duration'] = 0"
+#        map_action => "create"
+#      }
+#    }
+#
+#    if [logger] == "SQL" {
+#      aggregate {
+#        task_id => "%{taskid}"
+#        code => "map['sql_duration'] += event.get('duration')"
+#        map_action => "update"
+#      }
+#    }
+#
+#    if [logger] == "TASK_END" {
+#      aggregate {
+#        task_id => "%{taskid}"
+#        code => "event.set('sql_duration', map['sql_duration'])"
+#        map_action => "update"
+#        end_of_task => true
+#        timeout => 120
+#      }
+#    }
+#  }
+# ----------------------------------
+#
+# * the final event then looks like :
+# [source,ruby]
+# ----------------------------------
+# {
+#        "message" => "INFO - 12345 - TASK_END - end message",
+#   "sql_duration" => 46
+# }
+# ----------------------------------
+#
+# the field `sql_duration` is added and contains the sum of all sql queries durations.
+#
+# ==== Example #2 : no start event
+#
+# * If you have the same logs than example #1, but without a start log :
+# [source,ruby]
+# ----------------------------------
+#  INFO - 12345 - SQL - sqlQuery1 - 12
+#  INFO - 12345 - SQL - sqlQuery2 - 34
+#  INFO - 12345 - TASK_END - end
+# ----------------------------------
+#
+# * you can also aggregate "sql duration" with a slightly different configuration :
+# [source,ruby]
+# ----------------------------------
+#  filter {
+#    grok {
+#      match => [ "message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:taskid} - %{NOTSPACE:logger} - %{WORD:label}( - %{INT:duration:int})?" ]
+#    }
+#
+#    if [logger] == "SQL" {
+#      aggregate {
+#        task_id => "%{taskid}"
+#        code => "map['sql_duration'] ||= 0 ; map['sql_duration'] += event.get('duration')"
+#      }
+#    }
+#
+#    if [logger] == "TASK_END" {
+#      aggregate {
+#        task_id => "%{taskid}"
+#        code => "event.set('sql_duration', map['sql_duration'])"
+#        end_of_task => true
+#        timeout => 120
+#      }
+#    }
+#  }
+# ----------------------------------
+#
+# * the final event is exactly the same than example #1
+# * the key point is the "||=" ruby operator. It allows to initialize 'sql_duration' map entry to 0 only if this map entry is not already initialized
+#
+#
+# ==== Example #3 : no end event
+#
+# Third use case: You have no specific end event.
+#
+# A typical case is aggregating or tracking user behaviour. We can track a user by its ID through the events, however once the user stops interacting, the events stop coming in. There is no specific event indicating the end of the user's interaction.
+#
+# In this case, we can enable the option 'push_map_as_event_on_timeout' to enable pushing the aggregation map as a new event when a timeout occurs.
+# In addition, we can enable 'timeout_code' to execute code on the populated timeout event.
+# We can also add 'timeout_task_id_field' so we can correlate the task_id, which in this case would be the user's ID.
+#
+# * Given these logs:
+#
+# [source,ruby]
+# ----------------------------------
+# INFO - 12345 - Clicked One
+# INFO - 12345 - Clicked Two
+# INFO - 12345 - Clicked Three
+# ----------------------------------
+#
+# * You can aggregate the amount of clicks the user did like this:
+#
+# [source,ruby]
+# ----------------------------------
+# filter {
+#   grok {
+#     match => [ "message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:user_id} - %{GREEDYDATA:msg_text}" ]
+#   }
+#
+#   aggregate {
+#     task_id => "%{user_id}"
+#     code => "map['clicks'] ||= 0; map['clicks'] += 1;"
+#     push_map_as_event_on_timeout => true
+#     timeout_task_id_field => "user_id"
+#     timeout => 600 # 10 minutes timeout
+#     timeout_tags => ['_aggregatetimeout']
+#     timeout_code => "event.set('several_clicks', event.get('clicks') > 1)"
+#   }
+# }
+# ----------------------------------
+#
+# * After ten minutes, this will yield an event like:
+#
+# [source,json]
+# ----------------------------------
+# {
+#   "user_id": "12345",
+#   "clicks": 3,
+#   "several_clicks": true,
+#     "tags": [
+#        "_aggregatetimeout"
+#     ]
+# }
+# ----------------------------------
+#
+# ==== Example #4 : no end event and tasks come one after the other
+#
+# Fourth use case : like example #3, you have no specific end event, but also, tasks come one after the other.
+# That is to say : tasks are not interlaced. All task1 events come, then all task2 events come, ...
+# In that case, you don't want to wait task timeout to flush aggregation map.
+# * A typical case is aggregating results from jdbc input plugin.
+# * Given that you have this SQL query : `SELECT country_name, town_name FROM town`
+# * Using jdbc input plugin, you get these 3 events from :
+# [source,json]
+# ----------------------------------
+#   { "country_name": "France", "town_name": "Paris" }
+#   { "country_name": "France", "town_name": "Marseille" }
+#   { "country_name": "USA", "town_name": "New-York" }
+# ----------------------------------
+# * And you would like these 2 result events to push them into elasticsearch :
+# [source,json]
+# ----------------------------------
+#   { "country_name": "France", "towns": [ {"town_name": "Paris"}, {"town_name": "Marseille"} ] }
+#   { "country_name": "USA", "towns": [ {"town_name": "New-York"} ] }
+# ----------------------------------
+# * You can do that using `push_previous_map_as_event` aggregate plugin option :
+# [source,ruby]
+# ----------------------------------
+#    filter {
+#      aggregate {
+#        task_id => "%{country_name}"
+#        code => "
+#          map['country_name'] = event.get('country_name')
+#          map['towns'] ||= []
+#          map['towns'] << {'town_name' => event.get('town_name')}
+#          event.cancel()
+#        "
+#        push_previous_map_as_event => true
+#        timeout => 3
+#      }
+#    }
+# ----------------------------------
+# * The key point is that each time aggregate plugin detects a new `country_name`, it pushes previous aggregate map as a new Logstash event, and then creates a new empty map for the next country
+# * When 5s timeout comes, the last aggregate map is pushed as a new event
+# * Finally, initial events (which are not aggregated) are dropped because useless (thanks to `event.cancel()`)
+#
+#
+# ==== How it works
+# * the filter needs a "task_id" to correlate events (log lines) of a same task
+# * at the task beggining, filter creates a map, attached to task_id
+# * for each event, you can execute code using 'event' and 'map' (for instance, copy an event field to map)
+# * in the final event, you can execute a last code (for instance, add map data to final event)
+# * after the final event, the map attached to task is deleted (thanks to `end_of_task => true`)
+# * an aggregate map is tied to one task_id value which is tied to one task_id pattern. So if you have 2 filters with different task_id patterns, even if you have same task_id value, they won't share the same aggregate map.
+# * in one filter configuration, it is recommanded to define a timeout option to protect the feature against unterminated tasks. It tells the filter to delete expired maps
+# * if no timeout is defined, by default, all maps older than 1800 seconds are automatically deleted
+# * all timeout options have to be defined in only one aggregate filter per task_id pattern. Timeout options are : timeout, timeout_code, push_map_as_event_on_timeout, push_previous_map_as_event, timeout_task_id_field, timeout_tags
+# * if `code` execution raises an exception, the error is logged and event is tagged '_aggregateexception'
+#
+#
+# ==== Use Cases
+# * extract some cool metrics from task logs and push them into task final log event (like in example #1 and #2)
+# * extract error information in any task log line, and push it in final task event (to get a final event with all error information if any)
+# * extract all back-end calls as a list, and push this list in final task event (to get a task profile)
+# * extract all http headers logged in several lines to push this list in final task event (complete http request info)
+# * for every back-end call, collect call details available on several lines, analyse it and finally tag final back-end call log line (error, timeout, business-warning, ...)
+# * Finally, task id can be any correlation id matching your need : it can be a session id, a file path, ...
+#
+#
+class LogStash::Filters::Aggregate < LogStash::Filters::Base
+  # ############## #
+  # CONFIG OPTIONS #
+  # ############## #
+  config_name "aggregate"
+  # The expression defining task ID to correlate logs.
+  #
+  # This value must uniquely identify the task.
+  #
+  # Example:
+  # [source,ruby]
+  #     filter {
+  #       aggregate {
+  #         task_id => "%{type}%{my_task_id}"
+  #       }
+  #     }
+  config :task_id, :validate => :string, :required => true
+  # The code to execute to update map, using current event.
+  #
+  # Or on the contrary, the code to execute to update event, using current map.
+  #
+  # You will have a 'map' variable and an 'event' variable available (that is the event itself).
+  #
+  # Example:
+  # [source,ruby]
+  #     filter {
+  #       aggregate {
+  #         code => "map['sql_duration'] += event.get('duration')"
+  #       }
+  #     }
+  config :code, :validate => :string, :required => true
+  # Tell the filter what to do with aggregate map.
+  #
+  # `"create"`: create the map, and execute the code only if map wasn't created before
+  #
+  # `"update"`: doesn't create the map, and execute the code only if map was created before
+  #
+  # `"create_or_update"`: create the map if it wasn't created before, execute the code in all cases
+  config :map_action, :validate => :string, :default => "create_or_update"
+  # Tell the filter that task is ended, and therefore, to delete aggregate map after code execution.
+  config :end_of_task, :validate => :boolean, :default => false
+  # The path to file where aggregate maps are stored when Logstash stops
+  # and are loaded from when Logstash starts.
+  #
+  # If not defined, aggregate maps will not be stored at Logstash stop and will be lost.
+  # Must be defined in only one aggregate filter (as aggregate maps are global).
+  #
+  # Example:
+  # [source,ruby]
+  #     filter {
+  #       aggregate {
+  #         aggregate_maps_path => "/path/to/.aggregate_maps"
+  #       }
+  #     }
+  config :aggregate_maps_path, :validate => :string, :required => false
+  # The amount of seconds after a task "end event" can be considered lost.
+  #
+  # When timeout occurs for a task, The task "map" is evicted.
+  #
+  # Timeout can be defined for each "task_id" pattern.
+  #
+  # If no timeout is defined, default timeout will be applied : 1800 seconds.
+  config :timeout, :validate => :number, :required => false
+  # The code to execute to complete timeout generated event, when `'push_map_as_event_on_timeout'` or `'push_previous_map_as_event'` is set to true.
+  # The code block will have access to the newly generated timeout event that is pre-populated with the aggregation map.
+  #
+  # If `'timeout_task_id_field'` is set, the event is also populated with the task_id value
+  #
+  # Example:
+  # [source,ruby]
+  #     filter {
+  #       aggregate {
+  #         timeout_code => "event.set('state', 'timeout')"
+  #       }
+  #     }
+  config :timeout_code, :validate => :string, :required => false
+  # When this option is enabled, each time a task timeout is detected, it pushes task aggregation map as a new Logstash event.
+  # This enables to detect and process task timeouts in Logstash, but also to manage tasks that have no explicit end event.
+  config :push_map_as_event_on_timeout, :validate => :boolean, :required => false, :default => false
+  # When this option is enabled, each time aggregate plugin detects a new task id, it pushes previous aggregate map as a new Logstash event,
+  # and then creates a new empty map for the next task.
+  #
+  # WARNING: this option works fine only if tasks come one after the other. It means : all task1 events, then all task2 events, etc...
+  config :push_previous_map_as_event, :validate => :boolean, :required => false, :default => false
+  # This option indicates the timeout generated event's field for the "task_id" value.
+  # The task id will then be set into the timeout event. This can help correlate which tasks have been timed out.
+  #
+  # For example, with option `timeout_task_id_field => "my_id"` ,when timeout task id is `"12345"`, the generated timeout event will contain `'my_id' => '12345'`.
+  #
+  # By default, if this option is not set, task id value won't be set into timeout generated event.
+  config :timeout_task_id_field, :validate => :string, :required => false
+  # Defines tags to add when a timeout event is generated and yield
+  #
+  # Example:
+  # [source,ruby]
+  #     filter {
+  #       aggregate {
+  #         timeout_tags => ["aggregate_timeout']
+  #       }
+  #     }
+  config :timeout_tags, :validate => :array, :required => false, :default => []
+  # ################ #
+  # STATIC VARIABLES #
+  # ################ #
+  # Default timeout (in seconds) when not defined in plugin configuration
+  DEFAULT_TIMEOUT = 1800
+  # This is the state of the filter.
+  # For each entry, key is "task_id" and value is a map freely updatable by 'code' config
+  @@aggregate_maps = {}
+  # Mutex used to synchronize access to 'aggregate_maps'
+  @@mutex = Mutex.new
+  # Default timeout for task_id patterns where timeout is not defined in Logstash filter configuration
+  @@default_timeout = nil
+  # For each "task_id" pattern, defines which Aggregate instance will process flush() call, processing expired Aggregate elements (older than timeout)
+  # For each entry, key is "task_id pattern" and value is "aggregate instance"
+  @@flush_instance_map = {}
+  # last time where timeout management in flush() method was launched, per "task_id" pattern
+  @@last_flush_timestamp_map = {}
+  # flag indicating if aggregate_maps_path option has been already set on one aggregate instance
+  @@aggregate_maps_path_set = false
+  # defines which Aggregate instance will close Aggregate static variables
+  @@static_close_instance = nil
+  # ####### #
+  # METHODS #
+  # ####### #
+  # Initialize plugin
+  public
+  def register
+    @logger.debug("Aggregate register call", :code => @code)
+    # validate task_id option
+    if !@task_id.match(/%\{.+\}/)
+      raise LogStash::ConfigurationError, "Aggregate plugin: task_id pattern '#{@task_id}' must contain a dynamic expression like '%{field}'"
+    end
+    # process lambda expression to call in each filter call
+    eval("@codeblock = lambda { |event, map| #{@code} }", binding, "(aggregate filter code)")
+    # process lambda expression to call in the timeout case or previous event case
+    if @timeout_code
+      eval("@timeout_codeblock = lambda { |event| #{@timeout_code} }", binding, "(aggregate filter timeout code)")
+    end
+    @@mutex.synchronize do
+      # timeout management : define eviction_instance for current task_id pattern
+      if has_timeout_options?
+        if @@flush_instance_map.has_key?(@task_id)
+          # all timeout options have to be defined in only one aggregate filter per task_id pattern
+          raise LogStash::ConfigurationError, "Aggregate plugin: For task_id pattern '#{@task_id}', there are more than one filter which defines timeout options. All timeout options have to be defined in only one aggregate filter per task_id pattern. Timeout options are : #{display_timeout_options}"
+        end
+        @@flush_instance_map[@task_id] = self
+        @logger.debug("Aggregate timeout for '#{@task_id}' pattern: #{@timeout} seconds")
+      end
+      # timeout management : define default_timeout
+      if !@timeout.nil? && (@@default_timeout.nil? || @timeout < @@default_timeout)
+        @@default_timeout = @timeout
+        @logger.debug("Aggregate default timeout: #{@timeout} seconds")
+      end
+      # reinit static_close_instance (if necessary)
+      if !@@aggregate_maps_path_set && !@@static_close_instance.nil?
+        @@static_close_instance = nil
+      end
+      # check if aggregate_maps_path option has already been set on another instance else set @@aggregate_maps_path_set
+      if !@aggregate_maps_path.nil?
+        if @@aggregate_maps_path_set
+          @@aggregate_maps_path_set = false
+          raise LogStash::ConfigurationError, "Aggregate plugin: Option 'aggregate_maps_path' must be set on only one aggregate filter"
+        else
+          @@aggregate_maps_path_set = true
+          @@static_close_instance = self
+        end
+      end
+      # load aggregate maps from file (if option defined)
+      if !@aggregate_maps_path.nil? && File.exist?(@aggregate_maps_path)
+        File.open(@aggregate_maps_path, "r") { |from_file| @@aggregate_maps.merge!(Marshal.load(from_file)) }
+        File.delete(@aggregate_maps_path)
+        @logger.info("Aggregate maps loaded from : #{@aggregate_maps_path}")
+      end
+      # init aggregate_maps
+      @@aggregate_maps[@task_id] ||= {}
+    end
+  end
+  # Called when Logstash stops
+  public
+  def close
+    @logger.debug("Aggregate close call", :code => @code)
+    # define static close instance if none is already defined
+    @@static_close_instance = self if @@static_close_instance.nil?
+    if @@static_close_instance == self
+      # store aggregate maps to file (if option defined)
+      @@mutex.synchronize do
+        @@aggregate_maps.delete_if { |key, value| value.empty? }
+        if !@aggregate_maps_path.nil? && !@@aggregate_maps.empty?
+          File.open(@aggregate_maps_path, "w"){ |to_file| Marshal.dump(@@aggregate_maps, to_file) }
+          @logger.info("Aggregate maps stored to : #{@aggregate_maps_path}")
+        end
+        @@aggregate_maps.clear()
+      end
+      # reinit static variables for Logstash reload
+      @@default_timeout = nil
+      @@flush_instance_map = {}
+      @@last_flush_timestamp_map = {}
+      @@aggregate_maps_path_set = false
+    end
+  end
+  # This method is invoked each time an event matches the filter
+  public
+  def filter(event)
+    # define task id
+    task_id = event.sprintf(@task_id)
+    return if task_id.nil? || task_id == @task_id
+    noError = false
+    event_to_yield = nil
+    # protect aggregate_maps against concurrent access, using a mutex
+    @@mutex.synchronize do
+      # retrieve the current aggregate map
+      aggregate_maps_element = @@aggregate_maps[@task_id][task_id]
+      # create aggregate map, if it doesn't exist
+      if aggregate_maps_element.nil?
+        return if @map_action == "update"
+        # create new event from previous map, if @push_previous_map_as_event is enabled
+        if @push_previous_map_as_event && !@@aggregate_maps[@task_id].empty?
+          event_to_yield = extract_previous_map_as_event()
+        end
+        aggregate_maps_element = LogStash::Filters::Aggregate::Element.new(Time.now);
+        @@aggregate_maps[@task_id][task_id] = aggregate_maps_element
+      else
+        return if @map_action == "create"
+      end
+      map = aggregate_maps_element.map
+      # execute the code to read/update map and event
+      begin
+        @codeblock.call(event, map)
+        @logger.debug("Aggregate successful filter code execution", :code => @code)
+        noError = true
+      rescue => exception
+        @logger.error("Aggregate exception occurred",
+                      :error => exception,
+                      :code => @code,
+                      :map => map,
+                      :event_data => event.to_hash_with_metadata)
+        event.tag("_aggregateexception")
+      end
+      # delete the map if task is ended
+      @@aggregate_maps[@task_id].delete(task_id) if @end_of_task
+    end
+    # match the filter, only if no error occurred
+    filter_matched(event) if noError
+    # yield previous map as new event if set
+    yield event_to_yield unless event_to_yield.nil?
+  end
+  # Create a new event from the aggregation_map and the corresponding task_id
+  # This will create the event and
+  #  if @timeout_task_id_field is set, it will set the task_id on the timeout event
+  #  if @timeout_code is set, it will execute the timeout code on the created timeout event
+  # returns the newly created event
+  def create_timeout_event(aggregation_map, task_id)
+    @logger.debug("Aggregate create_timeout_event call with task_id '#{task_id}'")
+    event_to_yield = LogStash::Event.new(aggregation_map)
+    if @timeout_task_id_field
+      event_to_yield.set(@timeout_task_id_field, task_id)
+    end
+    LogStash::Util::Decorators.add_tags(@timeout_tags, event_to_yield, "filters/#{self.class.name}")
+    # Call code block if available
+    if @timeout_code
+      begin
+        @timeout_codeblock.call(event_to_yield)
+      rescue => exception
+        @logger.error("Aggregate exception occurred",
+                      :error => exception,
+                      :timeout_code => @timeout_code,
+                      :timeout_event_data => event_to_yield.to_hash_with_metadata)
+        event_to_yield.tag("_aggregateexception")
+      end
+    end
+    return event_to_yield
+  end
+  # Extract the previous map in aggregate maps, and return it as a new Logstash event
+  def extract_previous_map_as_event
+    previous_entry = @@aggregate_maps[@task_id].shift()
+    previous_task_id = previous_entry[0]
+    previous_map = previous_entry[1].map
+    return create_timeout_event(previous_map, previous_task_id)
+  end
+  # Necessary to indicate Logstash to periodically call 'flush' method
+  def periodic_flush
+    true
+  end
+  # This method is invoked by LogStash every 5 seconds.
+  def flush(options = {})
+    @logger.debug("Aggregate flush call with #{options}")
+    # Protection against no timeout defined by Logstash conf : define a default eviction instance with timeout = DEFAULT_TIMEOUT seconds
+    if @@default_timeout.nil?
+      @@default_timeout = DEFAULT_TIMEOUT
+    end
+    if !@@flush_instance_map.has_key?(@task_id)
+      @@flush_instance_map[@task_id] = self
+      @timeout = @@default_timeout
+    elsif @@flush_instance_map[@task_id].timeout.nil?
+      @@flush_instance_map[@task_id].timeout = @@default_timeout
+    end
+    # Launch timeout management only every interval of (@timeout / 2) seconds or at Logstash shutdown
+    if @@flush_instance_map[@task_id] == self && (!@@last_flush_timestamp_map.has_key?(@task_id) || Time.now > @@last_flush_timestamp_map[@task_id] + @timeout / 2 || options[:final])
+      events_to_flush = remove_expired_maps()
+      # at Logstash shutdown, if push_previous_map_as_event is enabled, it's important to force flush (particularly for jdbc input plugin)
+      if options[:final] && @push_previous_map_as_event && !@@aggregate_maps[@task_id].empty?
+        events_to_flush << extract_previous_map_as_event()
+      end
+      # tag flushed events, indicating "final flush" special event
+      if options[:final]
+        events_to_flush.each { |event_to_flush| event_to_flush.tag("_aggregatefinalflush") }
+      end
+      # update last flush timestamp
+      @@last_flush_timestamp_map[@task_id] = Time.now
+      # return events to flush into Logstash pipeline
+      return events_to_flush
+    else
+      return []
+    end
+  end
+  # Remove the expired Aggregate maps from @@aggregate_maps if they are older than timeout.
+  # If @push_previous_map_as_event option is set, or @push_map_as_event_on_timeout is set, expired maps are returned as new events to be flushed to Logstash pipeline.
+  def remove_expired_maps()
+    events_to_flush = []
+    min_timestamp = Time.now - @timeout
+    @@mutex.synchronize do
+      @logger.debug("Aggregate remove_expired_maps call with '#{@task_id}' pattern and #{@@aggregate_maps[@task_id].length} maps")
+      @@aggregate_maps[@task_id].delete_if do |key, element|
+        if element.creation_timestamp < min_timestamp
+          if @push_previous_map_as_event || @push_map_as_event_on_timeout
+            events_to_flush << create_timeout_event(element.map, key)
+          end
+          next true
+        end
+        next false
+      end
+    end
+    return events_to_flush
+  end
+  # return if this filter instance has any timeout option enabled in Logstash configuration
+  def has_timeout_options?()
+    return (
+      timeout ||
+      timeout_code ||
+      push_map_as_event_on_timeout ||
+      push_previous_map_as_event ||
+      timeout_task_id_field ||
+      !timeout_tags.empty?
+    )
+  end
+  # display all possible timeout options
+  def display_timeout_options()
+    return [
+      "timeout",
+      "timeout_code",
+      "push_map_as_event_on_timeout",
+      "push_previous_map_as_event",
+      "timeout_task_id_field",
+      "timeout_tags"
+    ].join(", ")
+  end
+end # class LogStash::Filters::Aggregate
+# Element of "aggregate_maps"
+class LogStash::Filters::Aggregate::Element
+  attr_accessor :creation_timestamp, :map
+  def initialize(creation_timestamp)
+    @creation_timestamp = creation_timestamp
+    @map = {}
+  end
 end