logstash-filter-dissect 1.1.4 → 1.2.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 21b60b83ce9a628a4c1879f0cffa16b3266595a5858fa5874998d3ca971718a6
4
- data.tar.gz: e6b49de027860dcd0f6316ff93632aa8dd33f2bc9323258babfdbe867ea23bb3
3
+ metadata.gz: 6a0a1db8e2b1cd398f4f32e5433a8560a154aacd2b841e8eba1fb9709f1798f6
4
+ data.tar.gz: a446ac8adc62d322318d0a05e060779f87ef61111c1ad6c536211cd8826e9a74
5
5
  SHA512:
6
- metadata.gz: ee8590d5715087e826fe63853919972602161ddeddb6055a3585aef0dc6c2a9ce5ca6c1bcdc575703fb145abf41381ec1e460b5fa2c224fea16b0325555c7c47
7
- data.tar.gz: 562fc016a5fe3e6312ecc1949a53764ebff4ae0a67cdfee903ca4c0f021ecdecd90fcedb690aba3acb35edb00ebf81960236315d383f33c12ef70a5b146deaaf
6
+ metadata.gz: '083b2aa51fc8fa242d90268d1e3efd712e894cdc2a67457d95a7c8830a1e2ad866e6fd5aec71c7b33edf9bbb17faf454944c85d5f2d22d5d25d6566a9827d48f'
7
+ data.tar.gz: 7f689abdb37eae898c3195c27b0704f3bf8700eab3bcf2fc3e8f1d14911df29692916436282db590b14814f08f36fbf7c168668afe2250a74cdca0ba663fde8e
data/CHANGELOG.md CHANGED
@@ -1,3 +1,20 @@
1
+ ## 1.2.3
2
+ - Update log4j dependencies to 2.17.0
3
+
4
+ ## 1.2.2
5
+ - Update log4j dependencies [#80](https://github.com/logstash-plugins/logstash-filter-dissect/pull/80)
6
+ - Fix: update to Gradle 7 [#78](https://github.com/logstash-plugins/logstash-filter-dissect/pull/78)
7
+
8
+ ## 1.2.1
9
+ - [DOC] Added note to clarify notation for dot or nested fields [#76](https://github.com/logstash-plugins/logstash-filter-dissect/pull/76)
10
+
11
+ ## 1.2.0
12
+ - Fix Trailing Delimiters requires a false field. A skip field is
13
+ automatically added when a final delimiter is detected in the dissect pattern.
14
+ This requires that strict delimiter finding is enforced - meaning a "no match"
15
+ results if every delimiter is not found in exactly the declared order
16
+ [Issue #22](https://github.com/logstash-plugins/logstash-filter-dissect/issues/22)
17
+
1
18
  ## 1.1.4
2
19
  - Replace v1.1.3 as it packaged the v1.1.1 jar and therefore does not have the fixes below
3
20
  - Yank v1.1.3 from rubygems.org
data/LICENSE CHANGED
@@ -1,13 +1,202 @@
1
- Copyright (c) 2012-2018 Elasticsearch <http://www.elastic.co>
2
1
 
3
- Licensed under the Apache License, Version 2.0 (the "License");
4
- you may not use this file except in compliance with the License.
5
- You may obtain a copy of the License at
2
+ Apache License
3
+ Version 2.0, January 2004
4
+ http://www.apache.org/licenses/
6
5
 
7
- http://www.apache.org/licenses/LICENSE-2.0
6
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
8
7
 
9
- Unless required by applicable law or agreed to in writing, software
10
- distributed under the License is distributed on an "AS IS" BASIS,
11
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
- See the License for the specific language governing permissions and
13
- limitations under the License.
8
+ 1. Definitions.
9
+
10
+ "License" shall mean the terms and conditions for use, reproduction,
11
+ and distribution as defined by Sections 1 through 9 of this document.
12
+
13
+ "Licensor" shall mean the copyright owner or entity authorized by
14
+ the copyright owner that is granting the License.
15
+
16
+ "Legal Entity" shall mean the union of the acting entity and all
17
+ other entities that control, are controlled by, or are under common
18
+ control with that entity. For the purposes of this definition,
19
+ "control" means (i) the power, direct or indirect, to cause the
20
+ direction or management of such entity, whether by contract or
21
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
22
+ outstanding shares, or (iii) beneficial ownership of such entity.
23
+
24
+ "You" (or "Your") shall mean an individual or Legal Entity
25
+ exercising permissions granted by this License.
26
+
27
+ "Source" form shall mean the preferred form for making modifications,
28
+ including but not limited to software source code, documentation
29
+ source, and configuration files.
30
+
31
+ "Object" form shall mean any form resulting from mechanical
32
+ transformation or translation of a Source form, including but
33
+ not limited to compiled object code, generated documentation,
34
+ and conversions to other media types.
35
+
36
+ "Work" shall mean the work of authorship, whether in Source or
37
+ Object form, made available under the License, as indicated by a
38
+ copyright notice that is included in or attached to the work
39
+ (an example is provided in the Appendix below).
40
+
41
+ "Derivative Works" shall mean any work, whether in Source or Object
42
+ form, that is based on (or derived from) the Work and for which the
43
+ editorial revisions, annotations, elaborations, or other modifications
44
+ represent, as a whole, an original work of authorship. For the purposes
45
+ of this License, Derivative Works shall not include works that remain
46
+ separable from, or merely link (or bind by name) to the interfaces of,
47
+ the Work and Derivative Works thereof.
48
+
49
+ "Contribution" shall mean any work of authorship, including
50
+ the original version of the Work and any modifications or additions
51
+ to that Work or Derivative Works thereof, that is intentionally
52
+ submitted to Licensor for inclusion in the Work by the copyright owner
53
+ or by an individual or Legal Entity authorized to submit on behalf of
54
+ the copyright owner. For the purposes of this definition, "submitted"
55
+ means any form of electronic, verbal, or written communication sent
56
+ to the Licensor or its representatives, including but not limited to
57
+ communication on electronic mailing lists, source code control systems,
58
+ and issue tracking systems that are managed by, or on behalf of, the
59
+ Licensor for the purpose of discussing and improving the Work, but
60
+ excluding communication that is conspicuously marked or otherwise
61
+ designated in writing by the copyright owner as "Not a Contribution."
62
+
63
+ "Contributor" shall mean Licensor and any individual or Legal Entity
64
+ on behalf of whom a Contribution has been received by Licensor and
65
+ subsequently incorporated within the Work.
66
+
67
+ 2. Grant of Copyright License. Subject to the terms and conditions of
68
+ this License, each Contributor hereby grants to You a perpetual,
69
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
70
+ copyright license to reproduce, prepare Derivative Works of,
71
+ publicly display, publicly perform, sublicense, and distribute the
72
+ Work and such Derivative Works in Source or Object form.
73
+
74
+ 3. Grant of Patent License. Subject to the terms and conditions of
75
+ this License, each Contributor hereby grants to You a perpetual,
76
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
77
+ (except as stated in this section) patent license to make, have made,
78
+ use, offer to sell, sell, import, and otherwise transfer the Work,
79
+ where such license applies only to those patent claims licensable
80
+ by such Contributor that are necessarily infringed by their
81
+ Contribution(s) alone or by combination of their Contribution(s)
82
+ with the Work to which such Contribution(s) was submitted. If You
83
+ institute patent litigation against any entity (including a
84
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
85
+ or a Contribution incorporated within the Work constitutes direct
86
+ or contributory patent infringement, then any patent licenses
87
+ granted to You under this License for that Work shall terminate
88
+ as of the date such litigation is filed.
89
+
90
+ 4. Redistribution. You may reproduce and distribute copies of the
91
+ Work or Derivative Works thereof in any medium, with or without
92
+ modifications, and in Source or Object form, provided that You
93
+ meet the following conditions:
94
+
95
+ (a) You must give any other recipients of the Work or
96
+ Derivative Works a copy of this License; and
97
+
98
+ (b) You must cause any modified files to carry prominent notices
99
+ stating that You changed the files; and
100
+
101
+ (c) You must retain, in the Source form of any Derivative Works
102
+ that You distribute, all copyright, patent, trademark, and
103
+ attribution notices from the Source form of the Work,
104
+ excluding those notices that do not pertain to any part of
105
+ the Derivative Works; and
106
+
107
+ (d) If the Work includes a "NOTICE" text file as part of its
108
+ distribution, then any Derivative Works that You distribute must
109
+ include a readable copy of the attribution notices contained
110
+ within such NOTICE file, excluding those notices that do not
111
+ pertain to any part of the Derivative Works, in at least one
112
+ of the following places: within a NOTICE text file distributed
113
+ as part of the Derivative Works; within the Source form or
114
+ documentation, if provided along with the Derivative Works; or,
115
+ within a display generated by the Derivative Works, if and
116
+ wherever such third-party notices normally appear. The contents
117
+ of the NOTICE file are for informational purposes only and
118
+ do not modify the License. You may add Your own attribution
119
+ notices within Derivative Works that You distribute, alongside
120
+ or as an addendum to the NOTICE text from the Work, provided
121
+ that such additional attribution notices cannot be construed
122
+ as modifying the License.
123
+
124
+ You may add Your own copyright statement to Your modifications and
125
+ may provide additional or different license terms and conditions
126
+ for use, reproduction, or distribution of Your modifications, or
127
+ for any such Derivative Works as a whole, provided Your use,
128
+ reproduction, and distribution of the Work otherwise complies with
129
+ the conditions stated in this License.
130
+
131
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
132
+ any Contribution intentionally submitted for inclusion in the Work
133
+ by You to the Licensor shall be under the terms and conditions of
134
+ this License, without any additional terms or conditions.
135
+ Notwithstanding the above, nothing herein shall supersede or modify
136
+ the terms of any separate license agreement you may have executed
137
+ with Licensor regarding such Contributions.
138
+
139
+ 6. Trademarks. This License does not grant permission to use the trade
140
+ names, trademarks, service marks, or product names of the Licensor,
141
+ except as required for reasonable and customary use in describing the
142
+ origin of the Work and reproducing the content of the NOTICE file.
143
+
144
+ 7. Disclaimer of Warranty. Unless required by applicable law or
145
+ agreed to in writing, Licensor provides the Work (and each
146
+ Contributor provides its Contributions) on an "AS IS" BASIS,
147
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148
+ implied, including, without limitation, any warranties or conditions
149
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150
+ PARTICULAR PURPOSE. You are solely responsible for determining the
151
+ appropriateness of using or redistributing the Work and assume any
152
+ risks associated with Your exercise of permissions under this License.
153
+
154
+ 8. Limitation of Liability. In no event and under no legal theory,
155
+ whether in tort (including negligence), contract, or otherwise,
156
+ unless required by applicable law (such as deliberate and grossly
157
+ negligent acts) or agreed to in writing, shall any Contributor be
158
+ liable to You for damages, including any direct, indirect, special,
159
+ incidental, or consequential damages of any character arising as a
160
+ result of this License or out of the use or inability to use the
161
+ Work (including but not limited to damages for loss of goodwill,
162
+ work stoppage, computer failure or malfunction, or any and all
163
+ other commercial damages or losses), even if such Contributor
164
+ has been advised of the possibility of such damages.
165
+
166
+ 9. Accepting Warranty or Additional Liability. While redistributing
167
+ the Work or Derivative Works thereof, You may choose to offer,
168
+ and charge a fee for, acceptance of support, warranty, indemnity,
169
+ or other liability obligations and/or rights consistent with this
170
+ License. However, in accepting such obligations, You may act only
171
+ on Your own behalf and on Your sole responsibility, not on behalf
172
+ of any other Contributor, and only if You agree to indemnify,
173
+ defend, and hold each Contributor harmless for any liability
174
+ incurred by, or claims asserted against, such Contributor by reason
175
+ of your accepting any such warranty or additional liability.
176
+
177
+ END OF TERMS AND CONDITIONS
178
+
179
+ APPENDIX: How to apply the Apache License to your work.
180
+
181
+ To apply the Apache License to your work, attach the following
182
+ boilerplate notice, with the fields enclosed by brackets "[]"
183
+ replaced with your own identifying information. (Don't include
184
+ the brackets!) The text should be enclosed in the appropriate
185
+ comment syntax for the file format. We also recommend that a
186
+ file or class name and description of purpose be included on the
187
+ same "printed page" as the copyright notice for easier
188
+ identification within third-party archives.
189
+
190
+ Copyright 2020 Elastic and contributors
191
+
192
+ Licensed under the Apache License, Version 2.0 (the "License");
193
+ you may not use this file except in compliance with the License.
194
+ You may obtain a copy of the License at
195
+
196
+ http://www.apache.org/licenses/LICENSE-2.0
197
+
198
+ Unless required by applicable law or agreed to in writing, software
199
+ distributed under the License is distributed on an "AS IS" BASIS,
200
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201
+ See the License for the specific language governing permissions and
202
+ limitations under the License.
data/README.md CHANGED
@@ -31,7 +31,7 @@ Please read BUILD_INSTRUCTIONS.md
31
31
 
32
32
  # Logstash Plugin
33
33
 
34
- [![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-filter-dissect.svg)](https://travis-ci.org/logstash-plugins/logstash-filter-dissect)
34
+ [![Travis Build Status](https://travis-ci.com/logstash-plugins/logstash-filter-dissect.svg)](https://travis-ci.com/logstash-plugins/logstash-filter-dissect)
35
35
 
36
36
  This is a plugin for [Logstash](https://github.com/elastic/logstash).
37
37
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.1.4
1
+ 1.2.3
data/docs/index.asciidoc CHANGED
@@ -20,29 +20,60 @@ include::{include_path}/plugin_header.asciidoc[]
20
20
 
21
21
  ==== Description
22
22
 
23
- The Dissect filter is a kind of split operation. Unlike a regular split operation where one delimiter is applied to
24
- the whole string, this operation applies a set of delimiters to a string value. +
25
- Dissect does not use regular expressions and is very fast. +
26
- However, if the structure of your text varies from line to line then Grok is more suitable. +
27
- There is a hybrid case where Dissect can be used to de-structure the section of the line that is reliably repeated and
28
- then Grok can be used on the remaining field values with more regex predictability and less overall work to do. +
23
+ The Dissect filter plugin tokenizes incoming strings using defined patterns.
24
+ It extracts unstructured event data into fields using
25
+ delimiters. This process is called tokenization.
29
26
 
30
- A set of fields and delimiters is called a *dissection*.
27
+ Unlike a regular split operation where one delimiter is applied to the whole
28
+ string, the Dissect operation applies a set of delimiters to a string value.
31
29
 
30
+ NOTE: All keys must be found and extracted for tokenization to be successful.
31
+ If one or more keys cannot be found, an error occurs and the original event is
32
+ not modified.
33
+
34
+ ===== Dissect or Grok? Or both?
35
+
36
+ Dissect differs from Grok in that it does not use regular expressions and is faster.
37
+ Dissect works well when data is reliably repeated.
38
+ Grok is a better choice when the structure of your text varies from line to line.
39
+
40
+ You can use both Dissect and Grok for a hybrid use case when a section of the
41
+ line is reliably repeated, but the entire line is not. The Dissect filter can
42
+ deconstruct the section of the line that is repeated. The Grok filter can process
43
+ the remaining field values with more regex predictability.
44
+
45
+ ===== Terminology
46
+
47
+ *dissect pattern* - the set of fields and delimiters describing the textual
48
+ format. Also known as a dissection.
32
49
  The dissection is described using a set of `%{}` sections:
33
- ....
34
- %{a} - %{b} - %{c}
35
- ....
50
+ `%{a} - %{b} - %{c}`
51
+
52
+ *field* - the text from `%{` to `}` inclusive.
53
+
54
+ *delimiter* - the text between `}` and the next `%{` characters.
55
+ Any set of characters other than `%{`, `'not }'`, or `}` is a delimiter.
56
+
57
+ *key* - the text between the `%{` and `}`, exclusive of the `?`, `+`, `&` prefixes
58
+ and the ordinal suffix.
36
59
 
37
- A *field* is the text from `%` to `}` inclusive.
60
+ Examples:
38
61
 
39
- A *delimiter* is the text between a `}` and next `%{` characters.
62
+ `%{?aaa}` - the key is `aaa`
40
63
 
41
- [NOTE]
42
- Any set of characters that do not fit `%{`, `'not }'`, `}` pattern is a delimiter.
64
+ `%{+bbb/3}` - the key is `bbb`
65
+
66
+ `%{&ccc}` - the key is `ccc`
67
+
68
+ NOTE: Using the `.` (dot) as `key` will generate fields with `.` in the field name. If
69
+ you want to get nested fields, use the brackets notation such as `%{[fieldname][subfieldname]}`.
70
+
71
+ ===== Sample configuration
43
72
 
44
73
  The config might look like this:
45
- ....
74
+
75
+ [source,ruby]
76
+ -----
46
77
  filter {
47
78
  dissect {
48
79
  mapping => {
@@ -50,93 +81,141 @@ The config might look like this:
50
81
  }
51
82
  }
52
83
  }
53
- ....
54
- When dissecting a string from left to right, text is captured upto the first delimiter - this captured text is stored in the first field.
55
- This is repeated for each field/# delimiter pair thereafter until the last delimiter is reached, then *the remaining text is stored in the last field*. +
84
+ -----
85
+
86
+ When a string is dissected from left to right, text is captured up to the first
87
+ delimiter. The captured text is stored in the first field. This is repeated
88
+ for each field/# delimiter pair until the last delimiter is reached.
89
+ Then *the remaining text is stored in the last field*.
90
+
91
+ ==== Notations
92
+
93
+ <<plugins-{type}s-{plugin}-normal>>
56
94
 
57
- *The Key:* +
58
- The key is the text between the `%{` and `}`, exclusive of the ?, +, & prefixes and the ordinal suffix. +
59
- `%{?aaa}` - key is `aaa` +
60
- `%{+bbb/3}` - key is `bbb` +
61
- `%{&ccc}` - key is `ccc` +
95
+ <<plugins-{type}s-{plugin}-skip>>
62
96
 
97
+ <<plugins-{type}s-{plugin}-append>>
98
+
99
+ <<plugins-{type}s-{plugin}-indirect>>
100
+
101
+ ===== Notes and usage guidelines
102
+
103
+ * For append or indirect fields, the key can refer to a field that already exists in the event before dissection.
104
+
105
+ * Use a Skip field if you do not want the indirection key/value stored.
106
+ +
107
+ Example:
108
+ +
109
+ `%{?a}: %{&a}` applied to text `google: 77.98` will build a key/value of `google => 77.98`.
110
+
111
+ * Append and indirect cannot be combined.
112
+ +
113
+ Examples:
114
+ +
115
+ `%{+&something}` will add a value to the `&something` key (probably not the intended outcome).
116
+ +
117
+ `%{&+something}` will add a value to the `+something` key (again probably unintended).
118
+
119
+ [id="plugins-{type}s-{plugin}-normal"]
63
120
  ===== Normal field notation
64
- The found value is added to the Event using the key. +
65
- `%{some_field}` - a normal field has no prefix or suffix
121
+ The found value is added to the Event using the key.
122
+ A normal field has no prefix or suffix.
123
+
124
+ Example:
125
+
126
+ `%{some_field}`
66
127
 
67
- *Skip field notation:* +
68
- The found value is stored internally but not added to the Event. +
128
+
129
+ [id="plugins-{type}s-{plugin}-skip"]
130
+ ===== Skip field notation
131
+ The found value is stored internally, but is not added to the Event.
69
132
  The key, if supplied, is prefixed with a `?`.
70
133
 
134
+ Examples:
135
+
71
136
  `%{}` is an empty skip field.
72
137
 
73
138
  `%{?foo}` is a named skip field.
74
139
 
140
+ [id="plugins-{type}s-{plugin}-append"]
75
141
  ===== Append field notation
76
- The value is appended to another value or stored if its the first field seen. +
77
- The key is prefixed with a `+`. +
78
- The final value is stored in the Event using the key. +
142
+ If the value is the first field seen, it is stored.
143
+ Subsequent fields are appended to another value.
79
144
 
80
- [NOTE]
81
- ====
82
- The delimiter found before the field is appended with the value. +
145
+ The key is prefixed with a `+`.
146
+ The final value is stored in the Event using the key.
147
+
148
+ NOTE: The delimiter found before the field is appended with the value.
83
149
  If no delimiter is found before the field, a single space character is used.
84
- ====
85
150
 
86
- `%{+some_field}` is an append field. +
151
+ Examples:
152
+
153
+ `%{+some_field}` is an append field.
154
+
87
155
  `%{+some_field/2}` is an append field with an order modifier.
88
156
 
89
- An order modifier, `/digits`, allows one to reorder the append sequence. +
90
- e.g. for a text of `1 2 3 go`, this `%{+a/2} %{+a/1} %{+a/4} %{+a/3}` will build a key/value of `a => 2 1 go 3` +
91
- Append fields without an order modifier will append in declared order. +
92
- e.g. for a text of `1 2 3 go`, this `%{a} %{b} %{+a}` will build two key/values of `a => 1 3 go, b => 2` +
157
+ **Order modifiers**
158
+
159
+ An order modifier, `/digits`, allows one to reorder the append sequence.
160
+
161
+ Example:
93
162
 
163
+ For text `1 2 3 go`, this `%{+a/2} %{+a/1} %{+a/4} %{+a/3}` will build a key/value of `a => 2 1 go 3`.
164
+
165
+ *Append fields* without an order modifier will append in declared order.
166
+
167
+ Example:
168
+
169
+ For text `1 2 3 go`, this `%{a} %{b} %{+a}` will build two key/values of `a => 1 3 go, b => 2`
170
+
171
+ [id="plugins-{type}s-{plugin}-indirect"]
94
172
  ===== Indirect field notation
95
- The found value is added to the Event using the found value of another field as the key. +
96
- The key is prefixed with a `&`. +
97
- `%{&some_field}` - an indirect field where the key is indirectly sourced from the value of `some_field`. +
98
- e.g. for a text of `error: some_error, some_description`, this `error: %{?err}, %{&err}` will build a key/value of `some_error => some_description`.
173
+ The found value is added to the Event using the found value of another field as the key.
174
+ The key is prefixed with a `&`.
99
175
 
100
- [NOTE]
101
- for append and indirect field the key can refer to a field that already exists in the event before dissection.
176
+ Examples:
102
177
 
103
- [NOTE]
104
- use a Skip field if you do not want the indirection key/value stored.
178
+ `%{&some_field}` is an indirect field where the key is indirectly sourced from the value of `some_field`.
179
+
180
+ For text `error: some_error, some_description`, this notation `error: %{?err}, %{&err}` will build a key/value of `some_error => some_description`.
105
181
 
106
- e.g. for a text of `google: 77.98`, this `%{?a}: %{&a}` will build a key/value of `google => 77.98`.
107
182
 
108
- [NOTE]
109
- ===============================
110
- append and indirect cannot be combined and will fail validation. +
111
- `%{+&something}` - will add a value to the `&something` key, probably not the intended outcome. +
112
- `%{&+something}` will add a value to the `+something` key, again probably unintended. +
113
- ===============================
114
183
 
115
184
  ==== Multiple Consecutive Delimiter Handling
116
185
 
117
- [IMPORTANT]
118
- ===============================
119
- Starting from version 1.1.1 of this plugin, multiple found delimiter handling has changed.
120
- Now multiple consecutive delimiters will be seen as missing fields by default and not padding.
186
+ IMPORTANT: Multiple found delimiter handling has changed starting with version 1.1.1 of this plugin.
187
+ Now multiple consecutive delimiters are seen as missing fields by default and not padding.
121
188
  If you are already using Dissect and your source text has fields padded with extra delimiters,
122
189
  you will need to change your config. Please read the section below.
123
- ===============================
190
+
124
191
 
125
192
  ===== Empty data between delimiters
193
+
126
194
  Given this text as the sample used to create a dissection:
127
- ....
195
+
196
+ [source,ruby]
197
+ -----
128
198
  John Smith,Big Oaks,Wood Lane,Hambledown,Canterbury,CB34RY
129
- ....
199
+ -----
200
+
130
201
  The created dissection, with 6 fields, is:
131
- ....
202
+
203
+ [source,ruby]
204
+ -----
132
205
  %{name},%{addr1},%{addr2},%{addr3},%{city},%{zip}
133
- ....
206
+ -----
207
+
134
208
  When a line like this is processed:
135
- ....
209
+
210
+ [source,ruby]
211
+ -----
136
212
  Jane Doe,4321 Fifth Avenue,,,New York,87432
137
- ....
213
+ -----
214
+
138
215
  Dissect will create an event with empty fields for `addr2 and addr3` like so:
139
- ....
216
+
217
+ [source,ruby]
218
+ -----
140
219
  {
141
220
  "name": "Jane Doe",
142
221
  "addr1": "4321 Fifth Avenue",
@@ -145,23 +224,31 @@ Dissect will create an event with empty fields for `addr2 and addr3` like so:
145
224
  "city": "New York"
146
225
  "zip": "87432"
147
226
  }
148
- ....
227
+ -----
149
228
 
150
229
  ===== Delimiters used as padding to visually align fields
151
230
  *Padding to the right hand side*
152
231
 
153
232
  Given these texts as the samples used to create a dissection:
154
- ....
233
+
234
+ [source,ruby]
235
+ -----
155
236
  00000043 ViewReceive machine-321
156
237
  f3000a3b Calc machine-123
157
- ....
238
+ -----
239
+
158
240
  The dissection, with 3 fields, is:
159
- ....
241
+
242
+ [source,ruby]
243
+ -----
160
244
  %{id} %{function->} %{server}
161
- ....
245
+ -----
246
+
162
247
  Note, above, the second field has a `->` suffix which tells Dissect to ignore padding to its right. +
163
248
  Dissect will create these events:
164
- ....
249
+
250
+ [source,ruby]
251
+ -----
165
252
  {
166
253
  "id": "00000043",
167
254
  "function": "ViewReceive",
@@ -172,30 +259,38 @@ Dissect will create these events:
172
259
  "function": "Calc",
173
260
  "server": "machine-321"
174
261
  }
175
- ....
176
- [IMPORTANT]
177
- Always add the `->` suffix to the field on the left of the padding.
262
+ -----
263
+
264
+ IMPORTANT: Always add the `->` suffix to the field on the left of the padding.
178
265
 
179
266
  *Padding to the left hand side (to the human eye)*
180
267
 
181
268
  Given these texts as the samples used to create a dissection:
182
- ....
269
+
270
+ [source,ruby]
271
+ -----
183
272
  00000043 ViewReceive machine-321
184
273
  f3000a3b Calc machine-123
185
- ....
274
+ -----
275
+
186
276
  The dissection, with 3 fields, is now:
187
- ....
277
+
278
+ [source,ruby]
279
+ -----
188
280
  %{id->} %{function} %{server}
189
- ....
281
+ -----
282
+
190
283
  Here the `->` suffix moves to the `id` field because Dissect sees the padding as being to the right of the `id` field. +
191
284
 
192
285
  ==== Conditional processing
193
286
 
194
- You probably want to use this filter inside an `if` block. +
287
+ You probably want to use this filter inside an `if` block.
195
288
  This ensures that the event contains a field value with a suitable structure for the dissection.
196
289
 
197
- For example...
198
- ....
290
+ Example:
291
+
292
+ [source,ruby]
293
+ -----
199
294
  filter {
200
295
  if [type] == "syslog" or "syslog" in [tags] {
201
296
  dissect {
@@ -205,7 +300,7 @@ filter {
205
300
  }
206
301
  }
207
302
  }
208
- ....
303
+ -----
209
304
 
210
305
  [id="plugins-{type}s-{plugin}-options"]
211
306
  ==== Dissect Filter Configuration Options
@@ -231,20 +326,23 @@ filter plugins.
231
326
  * Value type is <<hash,hash>>
232
327
  * Default value is `{}`
233
328
 
234
- With this setting `int` and `float` datatype conversions can be specified. +
235
- These will be done after all `mapping` dissections have taken place. +
236
- Feel free to use this setting on its own without a `mapping` section. +
329
+ With this setting `int` and `float` datatype conversions can be specified.
330
+ These will be done after all `mapping` dissections have taken place.
331
+ Feel free to use this setting on its own without a `mapping` section.
332
+
333
+ *Example*
237
334
 
238
- For example
239
335
  [source, ruby]
336
+ -----
240
337
  filter {
241
338
  dissect {
242
339
  convert_datatype => {
243
- cpu => "float"
244
- code => "int"
340
+ "cpu" => "float"
341
+ "code" => "int"
245
342
  }
246
343
  }
247
344
  }
345
+ -----
248
346
 
249
347
  [id="plugins-{type}s-{plugin}-mapping"]
250
348
  ===== `mapping`
@@ -254,14 +352,16 @@ filter {
254
352
 
255
353
  A hash of dissections of `field => value` +
256
354
  [IMPORTANT]
257
- Don't use an escaped newline `\n` in the value, it will be seen as two characters `\` + `n`+
258
- Instead use actual line breaks in the config.+
355
+ Don't use an escaped newline `\n` in the value. It will be interpreted as two characters `\` + `n`.
356
+ Instead use actual line breaks in the config.
259
357
  Also use single quotes to define the value if it contains double quotes.
260
358
 
261
359
  A later dissection can be done on values from a previous dissection or they can be independent.
262
360
 
263
- For example
361
+ *Example*
362
+
264
363
  [source, ruby]
364
+ -----
265
365
  filter {
266
366
  dissect {
267
367
  mapping => {
@@ -272,9 +372,10 @@ filter {
272
372
  }
273
373
  }
274
374
  }
375
+ -----
275
376
 
276
377
  This is useful if you want to keep the field `description` but also
277
- dissect it some more.
378
+ dissect it further.
278
379
 
279
380
  [id="plugins-{type}s-{plugin}-tag_on_failure"]
280
381
  ===== `tag_on_failure`
@@ -1,4 +1,4 @@
1
1
  # AUTOGENERATED BY THE GRADLE SCRIPT. DO NOT EDIT.
2
2
 
3
3
  require 'jar_dependencies'
4
- require_jar('org.logstash.dissect', 'jruby-dissect-library', '1.1.4')
4
+ require_jar('org.logstash.dissect', 'jruby-dissect-library', '1.2.3')
@@ -1,8 +1,6 @@
1
- DISSECT_VERSION = File.read(File.expand_path(File.join(File.dirname(__FILE__), "VERSION"))).strip unless defined?(DISSECT_VERSION)
2
-
3
1
  Gem::Specification.new do |s|
4
2
  s.name = 'logstash-filter-dissect'
5
- s.version = DISSECT_VERSION
3
+ s.version = '1.2.3' # version will be checked against VERSION file by `rake vendor`
6
4
  s.licenses = ['Apache License (2.0)']
7
5
  s.summary = "Extracts unstructured event data into fields using delimiters"
8
6
  s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -328,4 +328,25 @@ describe LogStash::Filters::Dissect do
328
328
  end
329
329
  end
330
330
  end
331
+
332
+ describe "Compatibility suite" do
333
+ tests = LogStash::Json.load(File.read(File.join(File.dirname(__FILE__), "/../fixtures/dissect_tests.json")))
334
+ tests.each do |test|
335
+ describe test["name"] do
336
+ let(:options) { { "mapping" => { "message" => test["tok"] } } }
337
+ subject { described_class.new(options) }
338
+ let(:event) { LogStash::Event.new({ "message" => test["msg"] }) }
339
+ before(:each) do
340
+ subject.register
341
+ subject.filter(event)
342
+ end
343
+
344
+ it "should dissect properly" do
345
+ test["expected"].each do |k, v|
346
+ expect(event.get(k)).to eq(v)
347
+ end
348
+ end
349
+ end
350
+ end
351
+ end
331
352
  end
@@ -0,0 +1,157 @@
1
+ [
2
+ {
3
+ "name": "Complex stack trace",
4
+ "tok": "%{day}-%{month}-%{year} %{hour} %{severity} [%{thread_id}] %{origin} %{message}",
5
+ "msg": "18-Apr-2018 06:53:20.411 INFO [http-nio-8080-exec-1] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header\n Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.\n java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens\n at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:426)\n at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:687)\n at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)\n at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)\n at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)\n at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n at java.lang.Thread.run(Thread.java:748)",
6
+ "expected": {
7
+ "day": "18",
8
+ "hour": "06:53:20.411",
9
+ "message": "Error parsing HTTP request header\n Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.\n java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens\n at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:426)\n at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:687)\n at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)\n at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)\n at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)\n at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n at java.lang.Thread.run(Thread.java:748)",
10
+ "month": "Apr",
11
+ "origin": "org.apache.coyote.http11.Http11Processor.service",
12
+ "severity": "INFO",
13
+ "thread_id": "http-nio-8080-exec-1",
14
+ "year": "2018"
15
+ },
16
+ "skip": false
17
+ },
18
+ {
19
+ "name": "simple dissect",
20
+ "tok": "%{key}",
21
+ "msg": "foobar",
22
+ "expected": {
23
+ "key": "foobar"
24
+ },
25
+ "skip": false
26
+ },
27
+ {
28
+ "name": "dissect two replacement",
29
+ "tok": "%{key1} %{key2}",
30
+ "msg": "foo bar",
31
+ "expected": {
32
+ "key1": "foo",
33
+ "key2": "bar"
34
+ },
35
+ "skip": false
36
+ },
37
+ {
38
+ "name": "one level dissect not end of string",
39
+ "tok": "/var/%{key}/log",
40
+ "msg": "/var/foobar/log",
41
+ "expected": {
42
+ "key": "foobar"
43
+ },
44
+ "skip": false
45
+ },
46
+ {
47
+ "name": "one level dissect",
48
+ "tok": "/var/%{key}",
49
+ "msg": "/var/foobar/log",
50
+ "expected": {
51
+ "key": "foobar/log"
52
+ },
53
+ "skip": false
54
+ },
55
+ {
56
+ "name": "multiple keys dissect end of string",
57
+ "tok": "/var/%{key}/log/%{key1}",
58
+ "msg": "/var/foobar/log/apache",
59
+ "expected": {
60
+ "key": "foobar",
61
+ "key1": "apache"
62
+ },
63
+ "skip": false
64
+ },
65
+ {
66
+ "name": "multiple keys not end of string",
67
+ "tok": "/var/%{key}/log/%{key1}.log",
68
+ "msg": "/var/foobar/log/apache.log",
69
+ "expected": {
70
+ "key": "foobar",
71
+ "key1": "apache"
72
+ },
73
+ "skip": false
74
+ },
75
+ {
76
+ "name": "simple ordered",
77
+ "tok": "%{+key/3} %{+key/1} %{+key/2}",
78
+ "msg": "1 2 3",
79
+ "expected": {
80
+ "key": "2 3 1"
81
+ },
82
+ "skip": false
83
+ },
84
+ {
85
+ "name": "simple append",
86
+ "tok": "%{key}-%{+key}-%{+key}",
87
+ "msg": "1-2-3",
88
+ "expected": {
89
+ "key": "1-2-3"
90
+ },
91
+ "skip": false
92
+ },
93
+ {
94
+ "name": "indirect field",
95
+ "tok": "%{key} %{\u0026key}",
96
+ "msg": "hello world",
97
+ "expected": {
98
+ "hello": "world",
99
+ "key": "hello"
100
+ },
101
+ "skip": false
102
+ },
103
+ {
104
+ "name": "skip field",
105
+ "tok": "%{} %{key}",
106
+ "msg": "hello world",
107
+ "expected": {
108
+ "key": "world"
109
+ },
110
+ "skip": false
111
+ },
112
+ {
113
+ "name": "named skiped field with indirect",
114
+ "tok": "%{?key} %{\u0026key}",
115
+ "msg": "hello world",
116
+ "expected": {
117
+ "hello": "world"
118
+ },
119
+ "skip": false
120
+ },
121
+ {
122
+ "name": "missing fields",
123
+ "tok": "%{name},%{addr1},%{addr2},%{addr3},%{city},%{zip}",
124
+ "msg": "Jane Doe,4321 Fifth Avenue,,,New York,87432",
125
+ "expected": {
126
+ "addr1": "4321 Fifth Avenue",
127
+ "addr2": "",
128
+ "addr3": "",
129
+ "city": "New York",
130
+ "name": "Jane Doe",
131
+ "zip": "87432"
132
+ },
133
+ "skip": false
134
+ },
135
+ {
136
+ "name": "ignore right padding",
137
+ "tok": "%{id} %{function-\u003e} %{server}",
138
+ "msg": "00000043 ViewReceive machine-321",
139
+ "expected": {
140
+ "function": "ViewReceive",
141
+ "id": "00000043",
142
+ "server": "machine-321"
143
+ },
144
+ "skip": false
145
+ },
146
+ {
147
+ "name": "ignore left padding",
148
+ "tok": "%{id-\u003e} %{function} %{server}",
149
+ "msg": "00000043 ViewReceive machine-321",
150
+ "expected": {
151
+ "function": "ViewReceive",
152
+ "id": "00000043",
153
+ "server": "machine-321"
154
+ },
155
+ "skip": false
156
+ }
157
+ ]
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-filter-dissect
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.4
4
+ version: 1.2.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-02-15 00:00:00.000000000 Z
11
+ date: 2021-12-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement
@@ -94,8 +94,9 @@ files:
94
94
  - lib/logstash/filters/dissect.rb
95
95
  - logstash-filter-dissect.gemspec
96
96
  - spec/filters/dissect_spec.rb
97
+ - spec/fixtures/dissect_tests.json
97
98
  - spec/spec_helper.rb
98
- - vendor/jars/org/logstash/dissect/jruby-dissect-library/1.1.4/jruby-dissect-library-1.1.4.jar
99
+ - vendor/jars/org/logstash/dissect/jruby-dissect-library/1.2.3/jruby-dissect-library-1.2.3.jar
99
100
  homepage: http://www.elastic.co/guide/en/logstash/current/index.html
100
101
  licenses:
101
102
  - Apache License (2.0)
@@ -118,11 +119,11 @@ required_rubygems_version: !ruby/object:Gem::Requirement
118
119
  - !ruby/object:Gem::Version
119
120
  version: '0'
120
121
  requirements: []
121
- rubyforge_project:
122
- rubygems_version: 2.6.13
122
+ rubygems_version: 3.1.6
123
123
  signing_key:
124
124
  specification_version: 4
125
125
  summary: Extracts unstructured event data into fields using delimiters
126
126
  test_files:
127
127
  - spec/filters/dissect_spec.rb
128
+ - spec/fixtures/dissect_tests.json
128
129
  - spec/spec_helper.rb