logstash-filter-dissect 1.0.6

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e8ae7e2bba795f607709e23084ba6c6603470909
+  data.tar.gz: d92b6cec5ce57c933e356b147d67d9d50d0f9602
+SHA512:
+  metadata.gz: 449cafef68edfd28da3b5dc6c56ad5b93cd532261251868acb5d76f02c654b824120dfa6b937ed6b32085ffd25a4c89dc0a98752840be752580c2ba20e176b93
+  data.tar.gz: dcea450f73cf8ad4f3f9845ffe1d850feec89cc02683c2d0e3f72049141844d2550f701a3c9aab24c1620f6504217ed02e52a84f283287c1efccfe88f1c903e7

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## 1.0.6
+  - Relax constraint on logstash-core-plugin-api to >= 1.60 <= 2.99
+
+## 1.0.5
+ - Initial commit

data/CONTRIBUTORS

@@ -0,0 +1,10 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Contributors:
+* Guy Boertje [guyboertje]
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/DEVELOPER.md

@@ -0,0 +1,2 @@
+# logstash-filter-dissect
+If any developer-centric advice will appear here, as needed.

data/Gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+gemspec
+
+gem 'logstash-input-generator', '~> 3.0', '>= 3.0.1'
+gem 'logstash-output-null', '~> 3.0', '>= 3.0.1'
+gem 'logstash-filter-drop', '~> 3.0', '>= 3.0.1'

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/NOTICE.TXT

@@ -0,0 +1,5 @@
+Elasticsearch
+Copyright 2012-2015 Elasticsearch
+
+This product includes software developed by The Apache Software
+Foundation (http://www.apache.org/).

data/README.md

@@ -0,0 +1,98 @@
+# Logstash Plugin
+
+[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-filter-example.svg)](https://travis-ci.org/logstash-plugins/logstash-filter-example)
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash).
+
+It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
+
+## Documentation
+
+Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/).
+
+- For formatting code or config example, you can use the asciidoc `[source,ruby]` directive
+- For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide
+
+## Need Help?
+
+Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
+
+## Developing
+
+### 1. Plugin Developement and Testing
+
+#### Code
+- To get started, you'll need JRuby with the Bundler gem installed.
+
+- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
+
+- Install dependencies
+```sh
+bundle install
+```
+
+#### Test
+
+- Update your dependencies
+
+```sh
+bundle install
+```
+
+- Run tests
+
+```sh
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
+```
+- Install plugin
+```sh
+# Logstash 2.3 and higher
+bin/logstash-plugin install --no-verify
+
+# Prior to Logstash 2.3
+bin/plugin install --no-verify
+
+```
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {awesome {}}'
+```
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
+
+- Build your plugin gem
+```sh
+gem build logstash-filter-awesome.gemspec
+```
+- Install the plugin from the Logstash home
+```sh
+# Logstash 2.3 and higher
+bin/logstash-plugin install --no-verify
+
+# Prior to Logstash 2.3
+bin/plugin install --no-verify
+
+```
+- Start Logstash and proceed to test the plugin
+
+## Contributing
+
+All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
+
+Programming is not a required skill. Whatever you've seen about open source and maintainers or community members  saying "send patches or die" - you will not see that here.
+
+It is more important to the community that you are able to contribute.
+
+For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.

data/lib/logstash/filters/dissect.rb

@@ -0,0 +1,148 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+
+require "java"
+require "jars/jruby-dissect-library.jar"
+require "jruby_dissector"
+
+# De-structures text
+#
+# The dissect filter is a kind of split operation.
+# Unlike a regular split operation where a single delimiter is applied to the
+# whole string, this operation applies a sequence of delimiters to an Event field's
+# string value. This sequence is called a dissection.
+# The dissection is created as a string using a %{} notation:
+# ........
+#        delimiter   suffix
+#        +---+       ++
+# %{key1}/ -- %{+key2/1}: %{&key1}
+# +-----+       |            +--+
+# field         prefix       key
+# ........
+
+# Note: delimiters can't contain the `%{` `}` characters.
+
+# The config should look like this:
+# [source, ruby]
+#   filter {
+#     dissect {
+#       mapping => {
+#         "message" => "%{timestamp} %{+timestamp} %{+timestamp} %{logsource} %{} %{program}[%{pid}]: %{msg}"
+#       }
+#     }
+#   }
+
+# When dissecting a string any text between the delimiters, a found value, will be stored
+# in the Event using that field name.
+
+# The Key:
+# The key is the text between the `%{` and `}`, exclusive of the ?, +, & prefixes and the ordinal suffix.
+# `%{?aaa}` - key is `aaa`
+# `%{+bbb/3}` - key is `bbb`
+# `%{&ccc}` - key is `ccc`
+
+# Normal field notation
+# The found value is added to the Event using the key.
+# `%{some_field}` - a normal field
+
+# Skip field notation
+# The found value is recorded internally but not added to the Event.
+# The key, if supplied, is prefixed with a `?`.
+# `%{}` - an empty skip field
+# `%{?some_field} - named skip field
+
+# Append field notation
+# The value is appended to another value or stored if its the first field seen.
+# The key is prefixed with a `+`.
+# The final value is stored in the Event using the key.
+# The delimiter found before the field or a space is appended before the found value.
+# `%{+some_field}` - an append field
+# `%{+some_field/2}` - and append field with an order modifier.
+# An order modifier, `/number`, allows one to reorder the append sequence.
+# e.g. for a text of `1 2 3 go`, this `%{+a/2} %{+a/1} %{+a/4} %{+a/3}` will build a key/value of `a => 2 1 go 3`
+# Append fields without an order modifier will append in declared order.
+# e.g. for a text of `1 2 3 go`, this `%{a} %{b} %{+a}` will build two key/values of `a => 1 3 go, b => 2`
+
+# Indirect field notation
+# The found value is added to the Event using the found value of another field as the key.
+# The key is prefixed with a `&`.
+# `%{&some_field}` - an indirect field where the key is indirectly sourced from the value of `some_field`.
+# e.g. for a text of `error: some_error, description`, this `error: %{?err}, %{&desc}`will build a key/value of `'some_error' => description`
+# Hint: use a Skip field if you do not want the indirection key/value stored.
+# e.g. for a text of `google: 77.98`, this `%{?a}: %{&a}` will build a key/value of `google => 77.98`.
+
+# Note: for append and indirect field the key can refer to a field that already exists in the event before dissection.
+# Note: append and indirect cannot be combined. This will fail validation.
+# `%{+&something}` - will add a value to the `&something` key, probably not the intended outcome.
+# `%{&+something}` will add a value to the `+something` key, again unintended.
+
+# Delimiter repetition
+# In the source text if a field has variable width padded with delimiters, the padding will be ignored.
+# e.g. for texts of:
+# ........
+# 00000043 ViewReceiver  I
+# 000000b3 Peer          I
+# ........
+# and a dissection of `%{a} %{b} %{c}`; the padding is ignored.
+#
+# You probably want to put this filter in an if block to ensure that the event
+# contains text with a suitable layout.
+# [source, ruby]
+# filter {
+#   if [type] == "syslog" or "syslog" in [tags] {
+#     dissect {
+#       mapping => {
+#         "message" => "%{timestamp} %{+timestamp} %{+timestamp} %{logsource} %{} %{program}[%{pid}]: %{msg}"
+#       }
+#     }
+#   }
+# }
+
+module LogStash module Filters class Dissect < LogStash::Filters::Base
+
+  config_name "dissect"
+
+  # A hash of dissections of field => value
+  # A later dissection can be done on an earlier one
+  # or they can be independent.
+  #
+  # For example
+  # [source, ruby]
+  # filter {
+  #   dissect {
+  #     mapping => {
+  #       "message" => "%{field1} %{field2} %{description}"
+  #       "description" => "%{field3} %{field4} %{field5}"
+  #     }
+  #   }
+  # }
+  #
+  # This is useful if you want to keep the field `description` also
+  # dissect it some more.
+  config :mapping, :validate => :hash, :default => {}
+
+  # TODO add docs
+  config :convert_datatype, :validate => :hash, :default => {}
+
+  # Append values to the `tags` field when dissection fails
+  config :tag_on_failure, :validate => :array, :default => ["_dissectfailure"]
+
+  public
+
+  def register
+     @dissector = LogStash::Dissector.new(@mapping)
+  end
+
+  def filter(event)
+    # all plugin functions happen in the JRuby extension:
+    # debug, warn and error logging, filter_matched, tagging etc.
+    @dissector.dissect(event, self)
+  end
+
+  def multi_filter(events)
+    LogStash::Util.set_thread_plugin(self)
+    @dissector.dissect_multi(events, self)
+    events
+  end
+end end end

data/logstash-filter-dissect.gemspec

@@ -0,0 +1,23 @@
+Gem::Specification.new do |s|
+  s.name = 'logstash-filter-dissect'
+  s.version         = '1.0.6'
+  s.licenses = ['Apache License (2.0)']
+  s.summary = "This dissect filter will destructurize text in multiple fields."
+  s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
+  s.authors = ["Elastic"]
+  s.email = 'info@elastic.co'
+  s.homepage = "http://www.elastic.co/guide/en/logstash/current/index.html"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
+  s.add_development_dependency 'logstash-devutils', '~> 1.0.0'
+end

data/spec/filters/dissect_spec.rb

@@ -0,0 +1,255 @@
+# encoding: utf-8
+require 'spec_helper'
+require "logstash/filters/dissect"
+
+describe LogStash::Filters::Dissect do
+  class LoggerMock
+    attr_reader :msgs, :hashes
+    def initialize()
+      @msgs = []
+      @hashes = []
+    end
+
+    def error(*msg)
+      @msgs.push(msg[0])
+      @hashes.push(msg[1])
+    end
+
+    def warn(*msg)
+      @msgs.push(msg[0])
+      @hashes.push(msg[1])
+    end
+
+    def debug?() true; end
+
+    def debug(*msg)
+      @msgs.push(msg[0])
+      @hashes.push(msg[1])
+    end
+  end
+
+  describe "Basic dissection" do
+    let(:config) do <<-CONFIG
+      filter {
+        dissect {
+          mapping => {
+            message => "[%{occurred_at}] %{code} %{service} %{ic} %{svc_message}"
+          }
+        }
+      }
+    CONFIG
+    end
+
+    sample("message" => "[25/05/16 09:10:38:425 BST] 00000001 SystemOut     O java.lang:type=MemoryPool,name=class storage") do
+      expect(subject.get("occurred_at")).to eq("25/05/16 09:10:38:425 BST")
+      expect(subject.get("code")).to eq("00000001")
+      expect(subject.get("service")).to eq("SystemOut")
+      expect(subject.get("ic")).to eq("O")
+      expect(subject.get("svc_message")).to eq("java.lang:type=MemoryPool,name=class storage")
+    end
+  end
+
+  describe "Basic dissection with datatype conversion" do
+    let(:config) do <<-CONFIG
+      filter {
+        dissect {
+          mapping => {
+            message => "[%{occurred_at}] %{code} %{service} %{?ic}=%{&ic}% %{svc_message}"
+          }
+          convert_datatype => {
+            cpu => "float"
+            code => "int"
+          }
+        }
+      }
+    CONFIG
+    end
+
+    sample("message" => "[25/05/16 09:10:38:425 BST] 00000001 SystemOut cpu=95.43% java.lang:type=MemoryPool,name=class storage") do
+      expect(subject.get("occurred_at")).to eq("25/05/16 09:10:38:425 BST")
+      expect(subject.get("code")).to eq(1)
+      expect(subject.get("service")).to eq("SystemOut")
+      expect(subject.get("cpu")).to eq(95.43)
+      expect(subject.get("svc_message")).to eq("java.lang:type=MemoryPool,name=class storage")
+    end
+  end
+
+  describe "Basic dissection with failing datatype conversion" do
+    subject(:filter) {  LogStash::Filters::Dissect.new(config)  }
+
+    let(:message)    { "[25/05/16 09:10:38:425 BST] 00000001 SystemOut cpu=95.43% java.lang:type=MemoryPool,name=class storage" }
+    let(:config)     do
+      {
+          "mapping" => {"message" => "[%{occurred_at}] %{code} %{service} %{?ic}=%{&ic}% %{svc_message}"},
+          "convert_datatype" => {
+            "ccu" => "float", # ccu field -> nil
+            "code" => "integer", # only int is supported
+            "other" => "int" # other field -> hash - not coercible
+          }
+      }
+    end
+    let(:event)      { LogStash::Event.new("message" => message, "other" => {}) }
+    let(:loggr)      { LoggerMock.new }
+
+    before(:each) do
+      filter.logger = loggr
+    end
+
+    it "tags and log messages are created" do
+      filter.register
+      filter.filter(event)
+      expect(event.get("code")).to eq("00000001")
+      expect(event.get("tags")).to eq(["_dataconversionnullvalue_ccu_float", "_dataconversionmissing_code_integer", "_dataconversionuncoercible_other_int"])
+      expect(loggr.msgs).to eq(
+          [
+              "Event before dissection",
+              "Dissector datatype conversion, value cannot be coerced, key: ccu, value: null",
+              "Dissector datatype conversion, datatype not supported: integer",
+              "Dissector datatype conversion, value cannot be coerced, key: other, value: {}",
+              "Event after dissection"
+          ]
+      )
+    end
+  end
+
+  describe "dissect with skip and append" do
+    let(:config) do <<-CONFIG
+        filter {
+          dissect {
+            mapping => {
+              "message" => "%{timestamp} %{+timestamp} %{+timestamp} %{logsource} %{} %{program}[%{pid}]: %{msg}"
+            }
+            add_field => { favorite_filter => "why, dissect of course" }
+          }
+        }
+      CONFIG
+    end
+
+    sample("message" => "Mar 16 00:01:25 evita skip-this postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]") do
+      expect(subject.get("tags")).to be_nil
+      expect(subject.get("logsource")).to eq("evita")
+      expect(subject.get("timestamp")).to eq("Mar 16 00:01:25")
+      expect(subject.get("msg")).to eq("connect from camomile.cloud9.net[168.100.1.3]")
+      expect(subject.get("program")).to eq("postfix/smtpd")
+      expect(subject.get("pid")).to eq("1713")
+      expect(subject.get("favorite_filter")).to eq("why, dissect of course")
+    end
+  end
+
+  context "when mapping a key is not found" do
+    subject(:filter) {  LogStash::Filters::Dissect.new(config)  }
+
+    let(:message)    { "very random message :-)" }
+    let(:config)     { {"mapping" => {"blah-di-blah" => "%{timestamp} %{+timestamp}"}} }
+    let(:event)      { LogStash::Event.new("message" => message) }
+    let(:loggr)      { LoggerMock.new }
+
+    before(:each) do
+      filter.logger = loggr
+    end
+
+    it "does not raise any exceptions" do
+      expect{filter.register}.not_to raise_exception
+    end
+
+    it "dissect failure key missing is logged" do
+      filter.register
+      filter.filter(event)
+      expect(loggr.msgs).to eq(["Event before dissection", "Dissector mapping, key not found in event", "Event after dissection"])
+    end
+  end
+
+  describe "valid field format handling" do
+    subject(:filter) {  LogStash::Filters::Dissect.new(config)  }
+    let(:config)     { {"mapping" => {"message" => "%{+timestamp/2} %{+timestamp/1} %{?no_name} %{&no_name} %{} %{program}[%{pid}]: %{msg}"}}}
+    let(:loggr)      { LoggerMock.new }
+
+    before(:each) do
+      filter.logger = loggr
+    end
+
+    it "does not raise an error in register" do
+      expect{filter.register}.not_to raise_exception
+    end
+  end
+
+  describe "invalid field format handling" do
+    subject(:filter) {  LogStash::Filters::Dissect.new(config)  }
+    let(:loggr)      { LoggerMock.new }
+
+    before(:each) do
+      filter.logger = loggr
+    end
+
+    context "when field is defined as Append and Indirect (+&)" do
+      let(:config)     { {"mapping" => {"message" => "%{+&timestamp}"}}}
+      it "raises an error in register" do
+        msg = "org.logstash.dissect.InvalidFieldException: Field cannot prefix with both Append and Indirect Prefix (+&): +&timestamp"
+        expect{filter.register}.to raise_exception(LogStash::FieldFormatError, msg)
+      end
+    end
+
+    context "when field is defined as Indirect and Append (&+)" do
+      let(:config)     { {"mapping" => {"message" => "%{&+timestamp}"}}}
+      it "raises an error in register" do
+        msg = "org.logstash.dissect.InvalidFieldException: Field cannot prefix with both Append and Indirect Prefix (&+): &+timestamp"
+        expect{filter.register}.to raise_exception(LogStash::FieldFormatError, msg)
+      end
+    end
+  end
+
+  describe "baseline performance test", :performance => true do
+    event_count = 1000000
+    min_rate = 30000
+
+    max_duration = event_count / min_rate
+    cfg_base = <<-CONFIG
+          input {
+            generator {
+              count => #{event_count}
+              message => "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]"
+            }
+          }
+          output { null { } }
+        CONFIG
+
+    config(cfg_base)
+    start = Time.now.to_f
+    agent do
+      duration = (Time.now.to_f - start)
+      puts "\n\ninputs/generator baseline rate: #{"%02.0f/sec" % (event_count / duration)}, elapsed: #{duration}s\n\n"
+      insist { duration } < max_duration
+    end
+  end
+
+  describe "dissect performance test", :performance => true do
+    event_count = 1000000
+    min_rate = 30000
+    max_duration = event_count / min_rate
+
+    cfg_filter = <<-CONFIG
+          input {
+            generator {
+              count => #{event_count}
+              message => "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]"
+            }
+          }
+          filter {
+            dissect {
+              mapping => {
+                "message" => "%{timestamp} %{+timestamp} %{+timestamp} %{logsource} %{program}[%{pid}]: %{msg}"
+              }
+            }
+          }
+          output { null { } }
+        CONFIG
+
+    config(cfg_filter)
+    start = Time.now.to_f
+    agent do
+      duration = (Time.now.to_f - start)
+      puts "\n\nfilters/dissect rate: #{"%02.0f/sec" % (event_count / duration)}, elapsed: #{duration}s\n\n"
+      insist { duration } < event_count / min_rate
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,11 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"
+
+module LogStash::Environment
+  # running the grok code outside a logstash package means
+  # LOGSTASH_HOME will not be defined, so let's set it here
+  # before requiring the grok filter
+  unless self.const_defined?(:LOGSTASH_HOME)
+    LOGSTASH_HOME = File.expand_path("../../../", __FILE__)
+  end
+end

metadata

@@ -0,0 +1,93 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-dissect
+version: !ruby/object:Gem::Version
+  version: 1.0.6
+platform: ruby
+authors:
+- Elastic
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2016-07-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+  name: logstash-core-plugin-api
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
+email: info@elastic.co
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- DEVELOPER.md
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- lib/jars/jruby-dissect-library.jar
+- lib/logstash/filters/dissect.rb
+- logstash-filter-dissect.gemspec
+- spec/filters/dissect_spec.rb
+- spec/spec_helper.rb
+homepage: http://www.elastic.co/guide/en/logstash/current/index.html
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: filter
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.6.3
+signing_key:
+specification_version: 4
+summary: This dissect filter will destructurize text in multiple fields.
+test_files:
+- spec/filters/dissect_spec.rb
+- spec/spec_helper.rb