logstash-filter-denormalize 0.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/CHANGELOG.md +0 -0
- data/CONTRIBUTORS +10 -0
- data/Gemfile +2 -0
- data/LICENSE +13 -0
- data/NOTICE.TXT +5 -0
- data/README.md +88 -0
- data/lib/logstash/filters/denormalize.rb +62 -0
- data/logstash-filter-denormalize.gemspec +27 -0
- data/spec/filters/denormalize_spec.rb +104 -0
- data/vendor/GeoIPASNum-2014-02-12.dat +0 -0
- data/vendor/GeoLiteCity-2013-01-18.dat +0 -0
- metadata +91 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: ac20ed323d0c620f7b31525d2cb1e77461415977
|
4
|
+
data.tar.gz: 4bbe769bd1d7a503e793ee75bce0944cc307a1d8
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 0b4c540717223854b8a7542f8d80b26195c6bce774a0ed1646bd2a1e412f16ee9e751b4eab50e199926b18dae8cc1d515bb3925d435bb0a8d5012422ce7ae811
|
7
|
+
data.tar.gz: 22c43a69c9f0ec4307fec2942933cdfb364c50382d4fc6de1b51fff45f0250135681a3ea4187fe7b5b3bda41124832a3de8bbb4fe12266186efe9a1809e6ad7d
|
data/CHANGELOG.md
ADDED
File without changes
|
data/CONTRIBUTORS
ADDED
@@ -0,0 +1,10 @@
|
|
1
|
+
The following is a list of people who have contributed ideas, code, bug
|
2
|
+
reports, or in general have helped logstash along its way.
|
3
|
+
|
4
|
+
Contributors:
|
5
|
+
* Inga Feick (ingafeick)
|
6
|
+
|
7
|
+
Note: If you've sent us patches, bug reports, or otherwise contributed to
|
8
|
+
Logstash, and you aren't on the list above and want to be, please let us know
|
9
|
+
and we'll make sure you're here. Contributions from folks like you are what make
|
10
|
+
open source awesome.
|
data/Gemfile
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
Copyright (c) 2012–2015 trivago <http://www.trivago.com>
|
2
|
+
|
3
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
you may not use this file except in compliance with the License.
|
5
|
+
You may obtain a copy of the License at
|
6
|
+
|
7
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
|
9
|
+
Unless required by applicable law or agreed to in writing, software
|
10
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
See the License for the specific language governing permissions and
|
13
|
+
limitations under the License.
|
data/NOTICE.TXT
ADDED
data/README.md
ADDED
@@ -0,0 +1,88 @@
|
|
1
|
+
# Logstash denormalize Filter Plugin
|
2
|
+
|
3
|
+
|
4
|
+
This is a plugin for [Logstash](https://github.com/elastic/logstash).
|
5
|
+
|
6
|
+
It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
|
7
|
+
|
8
|
+
## Installation
|
9
|
+
|
10
|
+
You can download the plugin from [rubygems](https://rubygems.org/gems/logstash-filter-denormalize) and install it from your logstash home directory like so:
|
11
|
+
|
12
|
+
bin/plugin install logstash-filter-denormalize-$VERSION.gem
|
13
|
+
|
14
|
+
## Versions and compatibility
|
15
|
+
|
16
|
+
Versions below 0.1.2 are compatible with logstash 2.x. Version 0.1.2 and later are compatible with logstash 5.
|
17
|
+
|
18
|
+
## Purpose
|
19
|
+
|
20
|
+
This filter will denormalize an event with a field of n values in an array into n differents events, which are the same except for the values in the array field. Each event will contain one of the array values in that field.
|
21
|
+
Basically, it behaves like the [split filter](https://www.elastic.co/guide/en/logstash/current/plugins-filters-split.html) but it splits on objects, not string sections.
|
22
|
+
|
23
|
+
### Examples
|
24
|
+
|
25
|
+
Input event:
|
26
|
+
{
|
27
|
+
"host" => "machine4711"
|
28
|
+
"services" => ["elasticsearch","logstash","collectd"]
|
29
|
+
"ip" => "10.1.2.3"
|
30
|
+
}
|
31
|
+
|
32
|
+
Output events:
|
33
|
+
|
34
|
+
{
|
35
|
+
"host" => "machine4711"
|
36
|
+
"services" => "elasticsearch"
|
37
|
+
"ip" => "10.1.2.3"
|
38
|
+
}
|
39
|
+
{
|
40
|
+
"host" => "machine4711"
|
41
|
+
"services" => "logstash"
|
42
|
+
"ip" => "10.1.2.3"
|
43
|
+
}
|
44
|
+
{
|
45
|
+
"host" => "machine4711"
|
46
|
+
"services" => "collectd"
|
47
|
+
"ip" => "10.1.2.3"
|
48
|
+
}
|
49
|
+
|
50
|
+
If the field, upon which the event is to be splitted, contains an array of key=>value nature, then those keys will be used in the new events:
|
51
|
+
|
52
|
+
Input event:
|
53
|
+
{
|
54
|
+
"host" => "machine4711"
|
55
|
+
"attributes" => {
|
56
|
+
"ram" => "32g",
|
57
|
+
"cores" => 8
|
58
|
+
}
|
59
|
+
"ip" => "10.1.2.3"
|
60
|
+
}
|
61
|
+
|
62
|
+
Output events:
|
63
|
+
{
|
64
|
+
"host" => "machine4711"
|
65
|
+
"ram" => "32g"
|
66
|
+
"ip" => "10.1.2.3"
|
67
|
+
}
|
68
|
+
{
|
69
|
+
"host" => "machine4711"
|
70
|
+
"cores" => 8
|
71
|
+
"ip" => "10.1.2.3"
|
72
|
+
}
|
73
|
+
|
74
|
+
## Configuration
|
75
|
+
|
76
|
+
* source : name of the field by which to denormalize. For each entry in this field (which should have an array value) a new record will be created, containing all the other fields.
|
77
|
+
* target : new key for the field by which you splitted the event. This is only effective if the splitted field didn't have keys on its own.
|
78
|
+
|
79
|
+
|
80
|
+
## Contributing
|
81
|
+
|
82
|
+
All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
|
83
|
+
|
84
|
+
Programming is not a required skill. Whatever you've seen about open source and maintainers or community members saying "send patches or die" - you will not see that here.
|
85
|
+
|
86
|
+
It is more important to the community that you are able to contribute.
|
87
|
+
|
88
|
+
For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.
|
@@ -0,0 +1,62 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "logstash/filters/base"
|
3
|
+
require "logstash/namespace"
|
4
|
+
|
5
|
+
# TODO docu
|
6
|
+
class LogStash::Filters::Denormalize < LogStash::Filters::Base
|
7
|
+
|
8
|
+
config_name "denormalize"
|
9
|
+
|
10
|
+
# The name of the field which contains the array or hash value(s)
|
11
|
+
config :source, :validate => :string
|
12
|
+
|
13
|
+
# New name for the splitted field in the new events, if it is not a hash
|
14
|
+
config :target, :validate => :string, :default => ""
|
15
|
+
|
16
|
+
# Delete the original event after it has been splitted
|
17
|
+
config :delete_original, :validate => :boolean, :default => true
|
18
|
+
|
19
|
+
public
|
20
|
+
def register
|
21
|
+
@list_target = (@target.nil? || @target.empty?) ? @source : @target # if no target name is provided: keep original name.
|
22
|
+
|
23
|
+
end # def register
|
24
|
+
|
25
|
+
public
|
26
|
+
def filter(event)
|
27
|
+
input = event.get(@source)
|
28
|
+
if !input.nil?
|
29
|
+
if input.is_a?(::Hash) # if it's a hash then let's take the keys from the original data
|
30
|
+
input.each do |key, value|
|
31
|
+
target = (!@target.nil? && !@target.empty?) ? @target : key
|
32
|
+
event_split = event.clone
|
33
|
+
event_split.set(target, value)
|
34
|
+
filter_matched(event_split)
|
35
|
+
yield event_split
|
36
|
+
if @delete_original
|
37
|
+
event.cancel # TODO why is this here and not outside the loop?
|
38
|
+
end
|
39
|
+
end # do
|
40
|
+
elsif (input.is_a? Enumerable)
|
41
|
+
input.each do |value|
|
42
|
+
# magic(event, @target, value)
|
43
|
+
event_split = event.clone
|
44
|
+
event_split.set(@list_target, value)
|
45
|
+
filter_matched(event_split)
|
46
|
+
yield event_split
|
47
|
+
if @delete_original
|
48
|
+
event.cancel # TODO why is this here and not outside the loop?
|
49
|
+
end
|
50
|
+
end # do
|
51
|
+
else
|
52
|
+
@logger.debug("Not iterable: field " + @source + " with value " + input.to_s)
|
53
|
+
end
|
54
|
+
else
|
55
|
+
@logger.debug("Nil: field " + @source)
|
56
|
+
end # if input.nil?
|
57
|
+
end # def filter
|
58
|
+
|
59
|
+
|
60
|
+
end # class LogStash::Filters::List2fields
|
61
|
+
|
62
|
+
|
@@ -0,0 +1,27 @@
|
|
1
|
+
Gem::Specification.new do |s|
|
2
|
+
|
3
|
+
s.name = 'logstash-filter-denormalize'
|
4
|
+
s.version = '0.1.2'
|
5
|
+
s.licenses = ['Apache License (2.0)']
|
6
|
+
s.summary = "$summary"
|
7
|
+
s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
|
8
|
+
s.authors = ["Inga Feick"]
|
9
|
+
s.email = 'inga.feick@trivago.com'
|
10
|
+
s.homepage = "http://www.elastic.co/guide/en/logstash/current/index.html"
|
11
|
+
s.require_paths = ["lib"]
|
12
|
+
|
13
|
+
# Files
|
14
|
+
s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
|
15
|
+
|
16
|
+
# Tests
|
17
|
+
s.test_files = s.files.grep(%r{^(test|spec|features)/})
|
18
|
+
|
19
|
+
# Special flag to let us know this is actually a logstash plugin
|
20
|
+
s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
|
21
|
+
|
22
|
+
# Gem dependencies
|
23
|
+
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
|
24
|
+
|
25
|
+
s.add_development_dependency 'logstash-devutils'
|
26
|
+
end
|
27
|
+
|
@@ -0,0 +1,104 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "logstash/devutils/rspec/spec_helper"
|
3
|
+
require "logstash/filters/denormalize"
|
4
|
+
require "logstash/event"
|
5
|
+
|
6
|
+
describe LogStash::Filters::Denormalize do
|
7
|
+
|
8
|
+
context "when field is a list" do
|
9
|
+
it "should not raise exception" do
|
10
|
+
filter = LogStash::Filters::Denormalize.new({"source" => "my_array"})
|
11
|
+
event = LogStash::Event.new("my_array" => ["cat","dog"])
|
12
|
+
|
13
|
+
expect {filter.filter(event).length}.to eq(2)
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
|
18
|
+
=begin
|
19
|
+
|
20
|
+
context "when field is nil" do
|
21
|
+
it "should not raise exception" do
|
22
|
+
filter = LogStash::Filters::Denormalize.new({"source" => "my_array"})
|
23
|
+
event = LogStash::Event.new("my_array" => nil)
|
24
|
+
expect {filter.filter(event)}.not_to raise_error
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
describe "array input" do
|
29
|
+
config <<-CONFIG
|
30
|
+
filter {
|
31
|
+
denormalize { "source" => "message"}
|
32
|
+
}
|
33
|
+
CONFIG
|
34
|
+
|
35
|
+
sample ["cheese", "bacon"] do
|
36
|
+
puts subject.inspect # TODO
|
37
|
+
insist { subject.length } == 2
|
38
|
+
insist { subject[0]["message"] } == "cheese"
|
39
|
+
insist { subject[1]["message"] } == "bacon"
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
context "when field is not iterable" do
|
44
|
+
it "should not raise exception" do
|
45
|
+
filter = LogStash::Filters::Denormalize.new({"source" => "my_array"})
|
46
|
+
event = LogStash::Event.new("my_array" => "ipsum lorem")
|
47
|
+
expect {filter.filter(event)}.not_to raise_error
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
|
52
|
+
|
53
|
+
describe "change target name" do
|
54
|
+
config <<-CONFIG
|
55
|
+
filter {
|
56
|
+
denormalize {
|
57
|
+
"source" => "message"
|
58
|
+
"target" => "new_key"
|
59
|
+
}
|
60
|
+
}
|
61
|
+
CONFIG
|
62
|
+
|
63
|
+
sample ["cheese", "bacon"] do
|
64
|
+
puts subject.inspect # TODO
|
65
|
+
insist { subject.length } == 2
|
66
|
+
insist { subject[0]["new_key"] } == "cheese"
|
67
|
+
insist { subject[1]["new_key"] } == "bacon"
|
68
|
+
end
|
69
|
+
end
|
70
|
+
|
71
|
+
|
72
|
+
describe "hash input" do
|
73
|
+
config <<-CONFIG
|
74
|
+
filter {
|
75
|
+
denormalize { "source" => "message"}
|
76
|
+
}
|
77
|
+
CONFIG
|
78
|
+
|
79
|
+
sample {"foo" => "bar", "unicorn" => "magic"} do
|
80
|
+
insist { subject.length } == 2
|
81
|
+
insist { subject[0]["foo"] } == "bar"
|
82
|
+
insist { subject[1]["unicorn"] } == "magic"
|
83
|
+
end
|
84
|
+
end
|
85
|
+
|
86
|
+
describe "hash input with target name" do
|
87
|
+
config <<-CONFIG
|
88
|
+
filter {
|
89
|
+
denormalize {
|
90
|
+
"source" => "message"
|
91
|
+
"target" => "new_key"
|
92
|
+
}
|
93
|
+
}
|
94
|
+
CONFIG
|
95
|
+
|
96
|
+
sample {"foo" => "bar", "unicorn" => "magic"} do
|
97
|
+
insist { subject.length } == 2
|
98
|
+
insist { subject[0]["new_key"] } == "bar"
|
99
|
+
insist { subject[1]["new_key"] } == "magic"
|
100
|
+
end
|
101
|
+
end
|
102
|
+
=end
|
103
|
+
|
104
|
+
end
|
Binary file
|
Binary file
|
metadata
ADDED
@@ -0,0 +1,91 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: logstash-filter-denormalize
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.2
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Inga Feick
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2016-11-02 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
requirement: !ruby/object:Gem::Requirement
|
15
|
+
requirements:
|
16
|
+
- - '>='
|
17
|
+
- !ruby/object:Gem::Version
|
18
|
+
version: '1.60'
|
19
|
+
- - <=
|
20
|
+
- !ruby/object:Gem::Version
|
21
|
+
version: '2.99'
|
22
|
+
name: logstash-core-plugin-api
|
23
|
+
prerelease: false
|
24
|
+
type: :runtime
|
25
|
+
version_requirements: !ruby/object:Gem::Requirement
|
26
|
+
requirements:
|
27
|
+
- - '>='
|
28
|
+
- !ruby/object:Gem::Version
|
29
|
+
version: '1.60'
|
30
|
+
- - <=
|
31
|
+
- !ruby/object:Gem::Version
|
32
|
+
version: '2.99'
|
33
|
+
- !ruby/object:Gem::Dependency
|
34
|
+
requirement: !ruby/object:Gem::Requirement
|
35
|
+
requirements:
|
36
|
+
- - '>='
|
37
|
+
- !ruby/object:Gem::Version
|
38
|
+
version: '0'
|
39
|
+
name: logstash-devutils
|
40
|
+
prerelease: false
|
41
|
+
type: :development
|
42
|
+
version_requirements: !ruby/object:Gem::Requirement
|
43
|
+
requirements:
|
44
|
+
- - '>='
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: '0'
|
47
|
+
description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
|
48
|
+
email: inga.feick@trivago.com
|
49
|
+
executables: []
|
50
|
+
extensions: []
|
51
|
+
extra_rdoc_files: []
|
52
|
+
files:
|
53
|
+
- CHANGELOG.md
|
54
|
+
- CONTRIBUTORS
|
55
|
+
- Gemfile
|
56
|
+
- LICENSE
|
57
|
+
- NOTICE.TXT
|
58
|
+
- README.md
|
59
|
+
- lib/logstash/filters/denormalize.rb
|
60
|
+
- logstash-filter-denormalize.gemspec
|
61
|
+
- spec/filters/denormalize_spec.rb
|
62
|
+
- vendor/GeoIPASNum-2014-02-12.dat
|
63
|
+
- vendor/GeoLiteCity-2013-01-18.dat
|
64
|
+
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
65
|
+
licenses:
|
66
|
+
- Apache License (2.0)
|
67
|
+
metadata:
|
68
|
+
logstash_plugin: 'true'
|
69
|
+
logstash_group: filter
|
70
|
+
post_install_message:
|
71
|
+
rdoc_options: []
|
72
|
+
require_paths:
|
73
|
+
- lib
|
74
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
75
|
+
requirements:
|
76
|
+
- - '>='
|
77
|
+
- !ruby/object:Gem::Version
|
78
|
+
version: '0'
|
79
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
80
|
+
requirements:
|
81
|
+
- - '>='
|
82
|
+
- !ruby/object:Gem::Version
|
83
|
+
version: '0'
|
84
|
+
requirements: []
|
85
|
+
rubyforge_project:
|
86
|
+
rubygems_version: 2.4.5
|
87
|
+
signing_key:
|
88
|
+
specification_version: 4
|
89
|
+
summary: $summary
|
90
|
+
test_files:
|
91
|
+
- spec/filters/denormalize_spec.rb
|