logstash-filter-aggregate 2.9.0 → 2.9.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/docs/index.asciidoc +8 -7
- data/lib/logstash/filters/aggregate.rb +5 -3
- data/logstash-filter-aggregate.gemspec +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bd090d41c0cd4b8fad41ca7ae9328d0ade9f5f45
|
4
|
+
data.tar.gz: 613247681d664249d2977d817d6c29479c6ba580
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c29a97c6dadfb87134ab46d027b93a7e16210d5eb39bf6262be8ab30fc3a3f9c3d4cea50c55bc778b9f431326e15b187c61bd8f214d6117b912d3515c5daadc0
|
7
|
+
data.tar.gz: 31cae051db32bd52a1bd712d12037184e910abec9f37a01e34e68f9a4a985364ea0b9b03f050e934c1f80e5e8a35e528263968d73153716687fa38620b928917
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,9 @@
|
|
1
|
+
## 2.9.1
|
2
|
+
- bugfix: fix inactivity timeout feature when processing old logs (PR [#103](https://github.com/logstash-plugins/logstash-filter-aggregate/pull/103), thanks @jdratlif for his contribution!)
|
3
|
+
- docs: fix several typos in documentation
|
4
|
+
- docs: enhance example 4 documentation
|
5
|
+
- ci: enhance plugin continuous integration
|
6
|
+
|
1
7
|
## 2.9.0
|
2
8
|
- new feature: add ability to dynamically define a custom `timeout` or `inactivity_timeout` in `code` block (fix issues [#91](https://github.com/logstash-plugins/logstash-filter-aggregate/issues/91) and [#92](https://github.com/logstash-plugins/logstash-filter-aggregate/issues/92))
|
3
9
|
- new feature: add meta informations available in `code` block through `map_meta` variable
|
data/docs/index.asciidoc
CHANGED
@@ -228,7 +228,7 @@ In that case, you don't want to wait task timeout to flush aggregation map.
|
|
228
228
|
aggregate {
|
229
229
|
task_id => "%{country_name}"
|
230
230
|
code => "
|
231
|
-
map['country_name']
|
231
|
+
map['country_name'] ||= event.get('country_name')
|
232
232
|
map['towns'] ||= []
|
233
233
|
map['towns'] << {'town_name' => event.get('town_name')}
|
234
234
|
event.cancel()
|
@@ -240,8 +240,9 @@ In that case, you don't want to wait task timeout to flush aggregation map.
|
|
240
240
|
----------------------------------
|
241
241
|
|
242
242
|
* The key point is that each time aggregate plugin detects a new `country_name`, it pushes previous aggregate map as a new Logstash event, and then creates a new empty map for the next country
|
243
|
-
* When
|
244
|
-
*
|
243
|
+
* When 3s timeout comes, the last aggregate map is pushed as a new event
|
244
|
+
* Initial events (which are not aggregated) are dropped because useless (thanks to `event.cancel()`)
|
245
|
+
* Last point: if a field is not fulfilled for every event (say "town_postcode" field), the `||=` operator will let you to push into aggregate map, the first "not null" value. Example: `map['town_postcode'] ||= event.get('town_postcode')`
|
245
246
|
|
246
247
|
|
247
248
|
[id="plugins-{type}s-{plugin}-example5"]
|
@@ -249,7 +250,7 @@ In that case, you don't want to wait task timeout to flush aggregation map.
|
|
249
250
|
|
250
251
|
Fifth use case: like example #3, there is no end event.
|
251
252
|
|
252
|
-
Events keep
|
253
|
+
Events keep coming for an indefinite time and you want to push the aggregation map as soon as possible after the last user interaction without waiting for the `timeout`.
|
253
254
|
|
254
255
|
This allows to have the aggregated events pushed closer to real time.
|
255
256
|
|
@@ -260,7 +261,7 @@ We can track a user by its ID through the events, however once the user stops in
|
|
260
261
|
|
261
262
|
There is no specific event indicating the end of the user's interaction.
|
262
263
|
|
263
|
-
The user
|
264
|
+
The user interaction will be considered as ended when no events for the specified user (task_id) arrive after the specified inactivity_timeout`.
|
264
265
|
|
265
266
|
If the user continues interacting for longer than `timeout` seconds (since first event), the aggregation map will still be deleted and pushed as a new event when timeout occurs.
|
266
267
|
|
@@ -295,7 +296,7 @@ filter {
|
|
295
296
|
code => "map['clicks'] ||= 0; map['clicks'] += 1;"
|
296
297
|
push_map_as_event_on_timeout => true
|
297
298
|
timeout_task_id_field => "user_id"
|
298
|
-
timeout => 3600 # 1 hour timeout, user activity will be considered finished one hour after the first event, even if events keep
|
299
|
+
timeout => 3600 # 1 hour timeout, user activity will be considered finished one hour after the first event, even if events keep coming
|
299
300
|
inactivity_timeout => 300 # 5 minutes timeout, user activity will be considered finished if no new events arrive 5 minutes after the last event
|
300
301
|
timeout_tags => ['_aggregatetimeout']
|
301
302
|
timeout_code => "event.set('several_clicks', event.get('clicks') > 1)"
|
@@ -326,7 +327,7 @@ filter {
|
|
326
327
|
* in the final event, you can execute a last code (for instance, add map data to final event)
|
327
328
|
* after the final event, the map attached to task is deleted (thanks to `end_of_task => true`)
|
328
329
|
* an aggregate map is tied to one task_id value which is tied to one task_id pattern. So if you have 2 filters with different task_id patterns, even if you have same task_id value, they won't share the same aggregate map.
|
329
|
-
* in one filter configuration, it is
|
330
|
+
* in one filter configuration, it is recommended to define a timeout option to protect the feature against unterminated tasks. It tells the filter to delete expired maps
|
330
331
|
* if no timeout is defined, by default, all maps older than 1800 seconds are automatically deleted
|
331
332
|
* all timeout options have to be defined in only one aggregate filter per task_id pattern (per pipeline). Timeout options are : timeout, inactivity_timeout, timeout_code, push_map_as_event_on_timeout, push_previous_map_as_event, timeout_timestamp_field, timeout_task_id_field, timeout_tags
|
332
333
|
* if `code` execution raises an exception, the error is logged and event is tagged '_aggregateexception'
|
@@ -214,6 +214,7 @@ class LogStash::Filters::Aggregate < LogStash::Filters::Base
|
|
214
214
|
|
215
215
|
# update last event timestamp
|
216
216
|
aggregate_maps_element.lastevent_timestamp = reference_timestamp(event)
|
217
|
+
aggregate_maps_element.difference_from_lastevent_to_now = (Time.now - aggregate_maps_element.lastevent_timestamp).to_i
|
217
218
|
|
218
219
|
# execute the code to read/update map and event
|
219
220
|
map = aggregate_maps_element.map
|
@@ -395,7 +396,7 @@ class LogStash::Filters::Aggregate < LogStash::Filters::Base
|
|
395
396
|
@current_pipeline.aggregate_maps[@task_id].delete_if do |key, element|
|
396
397
|
min_timestamp = element.timeout ? Time.now - element.timeout : default_min_timestamp
|
397
398
|
min_inactivity_timestamp = element.inactivity_timeout ? Time.now - element.inactivity_timeout : default_min_inactivity_timestamp
|
398
|
-
if element.creation_timestamp + element.difference_from_creation_to_now < min_timestamp || element.lastevent_timestamp + element.
|
399
|
+
if element.creation_timestamp + element.difference_from_creation_to_now < min_timestamp || element.lastevent_timestamp + element.difference_from_lastevent_to_now < min_inactivity_timestamp
|
399
400
|
if @push_previous_map_as_event || @push_map_as_event_on_timeout
|
400
401
|
events_to_flush << create_timeout_event(element.map, key)
|
401
402
|
end
|
@@ -500,12 +501,13 @@ end # class LogStash::Filters::Aggregate
|
|
500
501
|
# Element of "aggregate_maps"
|
501
502
|
class LogStash::Filters::Aggregate::Element
|
502
503
|
|
503
|
-
attr_accessor :creation_timestamp, :lastevent_timestamp, :difference_from_creation_to_now, :timeout, :inactivity_timeout, :task_id, :map
|
504
|
+
attr_accessor :creation_timestamp, :lastevent_timestamp, :difference_from_creation_to_now, :difference_from_lastevent_to_now, :timeout, :inactivity_timeout, :task_id, :map
|
504
505
|
|
505
506
|
def initialize(creation_timestamp, task_id)
|
506
507
|
@creation_timestamp = creation_timestamp
|
507
|
-
@lastevent_timestamp = creation_timestamp
|
508
|
+
@lastevent_timestamp = creation_timestamp
|
508
509
|
@difference_from_creation_to_now = (Time.now - creation_timestamp).to_i
|
510
|
+
@difference_from_lastevent_to_now = @difference_from_creation_to_now
|
509
511
|
@timeout = nil
|
510
512
|
@inactivity_timeout = nil
|
511
513
|
@task_id = task_id
|
@@ -1,6 +1,6 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
s.name = 'logstash-filter-aggregate'
|
3
|
-
s.version = '2.9.
|
3
|
+
s.version = '2.9.1'
|
4
4
|
s.licenses = ['Apache License (2.0)']
|
5
5
|
s.summary = "Aggregates information from several events originating with a single task"
|
6
6
|
s.description = 'This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program'
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-filter-aggregate
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.9.
|
4
|
+
version: 2.9.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2019-09-22 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|