logstash-filter-aggregate 2.9.0 → 2.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/docs/index.asciidoc +8 -7
- data/lib/logstash/filters/aggregate.rb +5 -3
- data/logstash-filter-aggregate.gemspec +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bd090d41c0cd4b8fad41ca7ae9328d0ade9f5f45
|
|
4
|
+
data.tar.gz: 613247681d664249d2977d817d6c29479c6ba580
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c29a97c6dadfb87134ab46d027b93a7e16210d5eb39bf6262be8ab30fc3a3f9c3d4cea50c55bc778b9f431326e15b187c61bd8f214d6117b912d3515c5daadc0
|
|
7
|
+
data.tar.gz: 31cae051db32bd52a1bd712d12037184e910abec9f37a01e34e68f9a4a985364ea0b9b03f050e934c1f80e5e8a35e528263968d73153716687fa38620b928917
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## 2.9.1
|
|
2
|
+
- bugfix: fix inactivity timeout feature when processing old logs (PR [#103](https://github.com/logstash-plugins/logstash-filter-aggregate/pull/103), thanks @jdratlif for his contribution!)
|
|
3
|
+
- docs: fix several typos in documentation
|
|
4
|
+
- docs: enhance example 4 documentation
|
|
5
|
+
- ci: enhance plugin continuous integration
|
|
6
|
+
|
|
1
7
|
## 2.9.0
|
|
2
8
|
- new feature: add ability to dynamically define a custom `timeout` or `inactivity_timeout` in `code` block (fix issues [#91](https://github.com/logstash-plugins/logstash-filter-aggregate/issues/91) and [#92](https://github.com/logstash-plugins/logstash-filter-aggregate/issues/92))
|
|
3
9
|
- new feature: add meta informations available in `code` block through `map_meta` variable
|
data/docs/index.asciidoc
CHANGED
|
@@ -228,7 +228,7 @@ In that case, you don't want to wait task timeout to flush aggregation map.
|
|
|
228
228
|
aggregate {
|
|
229
229
|
task_id => "%{country_name}"
|
|
230
230
|
code => "
|
|
231
|
-
map['country_name']
|
|
231
|
+
map['country_name'] ||= event.get('country_name')
|
|
232
232
|
map['towns'] ||= []
|
|
233
233
|
map['towns'] << {'town_name' => event.get('town_name')}
|
|
234
234
|
event.cancel()
|
|
@@ -240,8 +240,9 @@ In that case, you don't want to wait task timeout to flush aggregation map.
|
|
|
240
240
|
----------------------------------
|
|
241
241
|
|
|
242
242
|
* The key point is that each time aggregate plugin detects a new `country_name`, it pushes previous aggregate map as a new Logstash event, and then creates a new empty map for the next country
|
|
243
|
-
* When
|
|
244
|
-
*
|
|
243
|
+
* When 3s timeout comes, the last aggregate map is pushed as a new event
|
|
244
|
+
* Initial events (which are not aggregated) are dropped because useless (thanks to `event.cancel()`)
|
|
245
|
+
* Last point: if a field is not fulfilled for every event (say "town_postcode" field), the `||=` operator will let you to push into aggregate map, the first "not null" value. Example: `map['town_postcode'] ||= event.get('town_postcode')`
|
|
245
246
|
|
|
246
247
|
|
|
247
248
|
[id="plugins-{type}s-{plugin}-example5"]
|
|
@@ -249,7 +250,7 @@ In that case, you don't want to wait task timeout to flush aggregation map.
|
|
|
249
250
|
|
|
250
251
|
Fifth use case: like example #3, there is no end event.
|
|
251
252
|
|
|
252
|
-
Events keep
|
|
253
|
+
Events keep coming for an indefinite time and you want to push the aggregation map as soon as possible after the last user interaction without waiting for the `timeout`.
|
|
253
254
|
|
|
254
255
|
This allows to have the aggregated events pushed closer to real time.
|
|
255
256
|
|
|
@@ -260,7 +261,7 @@ We can track a user by its ID through the events, however once the user stops in
|
|
|
260
261
|
|
|
261
262
|
There is no specific event indicating the end of the user's interaction.
|
|
262
263
|
|
|
263
|
-
The user
|
|
264
|
+
The user interaction will be considered as ended when no events for the specified user (task_id) arrive after the specified inactivity_timeout`.
|
|
264
265
|
|
|
265
266
|
If the user continues interacting for longer than `timeout` seconds (since first event), the aggregation map will still be deleted and pushed as a new event when timeout occurs.
|
|
266
267
|
|
|
@@ -295,7 +296,7 @@ filter {
|
|
|
295
296
|
code => "map['clicks'] ||= 0; map['clicks'] += 1;"
|
|
296
297
|
push_map_as_event_on_timeout => true
|
|
297
298
|
timeout_task_id_field => "user_id"
|
|
298
|
-
timeout => 3600 # 1 hour timeout, user activity will be considered finished one hour after the first event, even if events keep
|
|
299
|
+
timeout => 3600 # 1 hour timeout, user activity will be considered finished one hour after the first event, even if events keep coming
|
|
299
300
|
inactivity_timeout => 300 # 5 minutes timeout, user activity will be considered finished if no new events arrive 5 minutes after the last event
|
|
300
301
|
timeout_tags => ['_aggregatetimeout']
|
|
301
302
|
timeout_code => "event.set('several_clicks', event.get('clicks') > 1)"
|
|
@@ -326,7 +327,7 @@ filter {
|
|
|
326
327
|
* in the final event, you can execute a last code (for instance, add map data to final event)
|
|
327
328
|
* after the final event, the map attached to task is deleted (thanks to `end_of_task => true`)
|
|
328
329
|
* an aggregate map is tied to one task_id value which is tied to one task_id pattern. So if you have 2 filters with different task_id patterns, even if you have same task_id value, they won't share the same aggregate map.
|
|
329
|
-
* in one filter configuration, it is
|
|
330
|
+
* in one filter configuration, it is recommended to define a timeout option to protect the feature against unterminated tasks. It tells the filter to delete expired maps
|
|
330
331
|
* if no timeout is defined, by default, all maps older than 1800 seconds are automatically deleted
|
|
331
332
|
* all timeout options have to be defined in only one aggregate filter per task_id pattern (per pipeline). Timeout options are : timeout, inactivity_timeout, timeout_code, push_map_as_event_on_timeout, push_previous_map_as_event, timeout_timestamp_field, timeout_task_id_field, timeout_tags
|
|
332
333
|
* if `code` execution raises an exception, the error is logged and event is tagged '_aggregateexception'
|
|
@@ -214,6 +214,7 @@ class LogStash::Filters::Aggregate < LogStash::Filters::Base
|
|
|
214
214
|
|
|
215
215
|
# update last event timestamp
|
|
216
216
|
aggregate_maps_element.lastevent_timestamp = reference_timestamp(event)
|
|
217
|
+
aggregate_maps_element.difference_from_lastevent_to_now = (Time.now - aggregate_maps_element.lastevent_timestamp).to_i
|
|
217
218
|
|
|
218
219
|
# execute the code to read/update map and event
|
|
219
220
|
map = aggregate_maps_element.map
|
|
@@ -395,7 +396,7 @@ class LogStash::Filters::Aggregate < LogStash::Filters::Base
|
|
|
395
396
|
@current_pipeline.aggregate_maps[@task_id].delete_if do |key, element|
|
|
396
397
|
min_timestamp = element.timeout ? Time.now - element.timeout : default_min_timestamp
|
|
397
398
|
min_inactivity_timestamp = element.inactivity_timeout ? Time.now - element.inactivity_timeout : default_min_inactivity_timestamp
|
|
398
|
-
if element.creation_timestamp + element.difference_from_creation_to_now < min_timestamp || element.lastevent_timestamp + element.
|
|
399
|
+
if element.creation_timestamp + element.difference_from_creation_to_now < min_timestamp || element.lastevent_timestamp + element.difference_from_lastevent_to_now < min_inactivity_timestamp
|
|
399
400
|
if @push_previous_map_as_event || @push_map_as_event_on_timeout
|
|
400
401
|
events_to_flush << create_timeout_event(element.map, key)
|
|
401
402
|
end
|
|
@@ -500,12 +501,13 @@ end # class LogStash::Filters::Aggregate
|
|
|
500
501
|
# Element of "aggregate_maps"
|
|
501
502
|
class LogStash::Filters::Aggregate::Element
|
|
502
503
|
|
|
503
|
-
attr_accessor :creation_timestamp, :lastevent_timestamp, :difference_from_creation_to_now, :timeout, :inactivity_timeout, :task_id, :map
|
|
504
|
+
attr_accessor :creation_timestamp, :lastevent_timestamp, :difference_from_creation_to_now, :difference_from_lastevent_to_now, :timeout, :inactivity_timeout, :task_id, :map
|
|
504
505
|
|
|
505
506
|
def initialize(creation_timestamp, task_id)
|
|
506
507
|
@creation_timestamp = creation_timestamp
|
|
507
|
-
@lastevent_timestamp = creation_timestamp
|
|
508
|
+
@lastevent_timestamp = creation_timestamp
|
|
508
509
|
@difference_from_creation_to_now = (Time.now - creation_timestamp).to_i
|
|
510
|
+
@difference_from_lastevent_to_now = @difference_from_creation_to_now
|
|
509
511
|
@timeout = nil
|
|
510
512
|
@inactivity_timeout = nil
|
|
511
513
|
@task_id = task_id
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
s.name = 'logstash-filter-aggregate'
|
|
3
|
-
s.version = '2.9.
|
|
3
|
+
s.version = '2.9.1'
|
|
4
4
|
s.licenses = ['Apache License (2.0)']
|
|
5
5
|
s.summary = "Aggregates information from several events originating with a single task"
|
|
6
6
|
s.description = 'This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program'
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-aggregate
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.9.
|
|
4
|
+
version: 2.9.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2019-09-22 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|